Associate Professor, Faculty of Law, Aristotle University of Thessaloniki
Paper presented at: Segurança da informação e Direito Constitucional do ciberespaço, 17-18 November 2016, Lisbon
The right to be forgotten is a new digital right which is included in the General Data Protection Regulation (Regulation 2016/679), entering into force in 2018. Ιt has also has been recognized by the decision of the Court of Justice of the EU with its decision of 13 May 2014 in case C-131/12, which interpreted the provisions of Directive 95/46/EEC as to include a right ‘to be forgotten’ on the Net. This case dealt with search engines and their obligation to remove links to web pages from their lists of results, following requests of data subjects on the grounds that information should no longer be linked to their name by means of such a list and taking into account that even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where those data are no longer necessary in the light of the purposes for which they were collected or processed. The digital right to be forgotten, however, is more than an obligation of search engine providers to remove links to personal data. It, moreover, embodies the claim of individuals to have personal data relating to them deleted, particularly those posted in social media, unless there is a compelling ground for keeping it. It, effectively, deals with the consequences of an Internet that ‘never forgets’, ensuring personal autonomy and privacy.
Keywords: Data protection, freedom of expression, right to be forgotten, right to oblivion, search engines
Table of Contents
In 2012, the EU Commission presented the proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘General Data Protection Regulation’, GDPR), repealing Directive 95/46/EEC, with the aim to modernize the legal framework for data protection in the EU (Hornung, 2012; De Hert/Papakonstantinou, 2012; Danagher, 2012; Kuschewsky, 2012; Traung, 2012). A central provision in the proposed Regulation was Article 17 introducing the ‘right to be forgotten’ in the digital environment, which drew its origins from the ‘right of oblivion’ – or le droit à l’oubli, recognized by case-law in France, Italy and other countries (Mantelero, 2012). In the final text of the Regulation that was recently adopted, i.e. Regulation 2016/679, some changes took place, but the essence of the right to be forgotten remained unaffected, while its title changed to ‘Right to erasure’.
The intended effect of the right to be forgotten is to enhance users’ rights on the Internet and remedy the lack of control over their personal data (Ausloos, 2012). It also presents an attempt to deal with the issue of digital forgetting, in other words, with the privacy issues arising in a Web that never forgets (Rosen, 2011). In more particular, in the digital age the ‘default of forgetting’ has gradually shifted towards a ‘default of remembering’ as pointed out by Mayer-Schönberder (Mayer-Schönberger, 2009), and this causes major privacy risks in a world of big data (Koops, 2011). This is a world in which it is almost impossible to escape the past, since every status update or photograph, and every tweet may be copied and/or reposted by other users or saved in Internet archives, such as the wayback machine1, and in cached pages2; as a result that information may be available online, even if it has been deleted in its initial place (Mitrou/Karyda, 2012). Moreover, search engines provide a great number of personal information for any particular person in case a search with a name and/or surname is carried out.
In this context, the introduction of a right to be forgotten is the recognition of the enhanced capacity of cyberspace to disseminate and distribute huge amounts of data, including personal data, hence making it impossible to control the flow of personal information (Ausloos, op. cit.).
It should be noted that there are different conceptual approaches as regards this new right in the literature. While it is conceived primarily as a right (e.g., Conley, 2010), other authors speak of an ethical or social value (Blanchete/Johnson, 2002) or of a policy aim (Mayer-Schönberger, op. cit.) and of a 'legitimate interest to forget and to be forgotten' (Rouvroy, 2008). In addition, it is connected with the right to personal identity, in so far as it expresses ‘the ability to reinvent oneself, to have second chance to start-over and present a renewed identity to the world’ (Andrade, 2011, p. 91).
What is common in these conceptualizations is the recognition that an individual has a significant interest possibly protected by a legal right in not being confronted by others with data from the past, which are not relevant for current decisions or views about him or her (Koops, 2001, at 232). In the digital world, this right takes a more pragmatic form; it is conceived as an individual's claim to erasure of data relating to him and it may as well be rephrased as a right to ‘cyber oblivion’ (Xanthoulis, 2012).
As the Internet is an inherent part of our lives today, privacy on the Internet has become a very important issue. In our understanding, privacy is not the right to ‘be let alone’, which amounts to an outdated conception (Warren/Brandeis, 1890), but more or less stands for the autonomy of the individual to decide which information and where he or she wishes to disclose.
To deal with threats to privacy and autonomy, it is suggested to embrace a set of internet privacy rights, which will deal efficiently with those threats (Bernal, 2014). Such a rights-based approach differentiates from a purely statutory approach and it refers to the concept of expectations in the theory of Luhmann (Luhmann, 1995), as they reflect what individuals consider to be their rights. In particular, the digital rights are the following:
a) The right to browse the internet with privacy: it means that internet users when searching for and accessing to information, when buying or making another transaction have a legitimate expectation of privacy
b) The right to monitor those who monitor us: this right is understood as the right to be informed in case of lawful data monitoring
c) the right to delete personal data: this represents the claim of the individual to have its personal data deleted, so this constitutes the right to be forgotten
d) the right to an online identity: this is the right to create an online identity, to assert that online identity and to protect it. This includes the right to keep identity data confidential and not revealing those data, unless it is absolutely necessary.
As it is evident, the right to be forgotten which the subject of this presentation has a pivotal position in the above set of digital rights. In our view, it is important to comprehend the above right as part of our fundamental digital rights, since it is, in a sense, distinct from privacy. More particularly, the right to privacy extends to information that it is not publicly known, while the right to be forgotten refers to information to be deleted that were made previously public (Weber, 2011).
III. The regulation of Article 17 GDPR and the CJEU decision in the Google Spain case
The provision of Article 17 GDPR basically includes a right to erasure of data that requires the controller to delete personal data and preclude any further dissemination of this data, but also to oblige third parties, e.g. search engines, etc., to delete any links to, or copies or replication of that data.
This applies in six instances, which derive from data protection principles (Costa, Poullet, 2012): (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; (c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing; (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services to children.
The right to be forgotten which is enshrined in the GDPR is not conceived as an absolute right; thus, a number of exceptions restrict its ambit, the most important being the freedom of expression and information. There is consensus that such a right cannot amount to a right of erasure of history and turn our modern society into a society of ‘lotus eaters’ (Iglezakis, 2014), which would be the case if the Internet was programmed to forget, e.g. if Internet content was programmed to auto-expire (Fleischer, 2011).
However, there are concerns expressed by US authors, mainly, that this right will have chilling effects on free expression, as it might force Internet intermediaries to censor the contents that they publish or to which they link, and hence, lose their neutral status (see, e.g., Rosen, 2012, Fleischer, 2011). IN U.S. there is a legal tradition which denies protection of the right to be forgotten, at least as far as media and the press are concerned, which enjoy the right to publicize information that is legally available and not countervailing argument could be invoked to restrict this right with regard to the past of criminals and other detestable persons (Werro, 2009).
Search engines are also affected by a right to be forgotten. In more particular, search engines facilitate the finding of data through the myriad of pages published in the World Wide Web and in consequence, they enhance the ability of individuals to receive and impart information. Any restriction of search engines' functioning, therefore, might be seen as a restriction of freedom of expression (Alsenoy et al., 2013).
Viviane Reding, the former EU Justice Commissioner and former Vice-President of the EU Commission, pointed out that this right builds on already existing rules, and is not an ex novo right (Redding, 2012). Indeed, the European Union Court of Justice issued a decision on May 13 2014, in case C-131/12 (Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez), in which it confirmed that view, as it found that the ‘right to be forgotten’ is rooted in the provisions of Directive 95/46/EEC. Consequently, Vivian Reding referred to this decision in a post on Facebook as a ‘clear victory for the protection of personal data of Europeans’3.
Thus, the decision of the CJEU reinforced digital forgetting despite the hesitating stance of EU governments that decided to delay the data protection reform initiated by the Proposal for a Data Protection regulation until 2015, though it was expected to have the data protection reform finalized before the European Parliamentary election of May 2014.4 It should be underlined that this decision comes one month after the decision of the Court in case C-293/12 and C0594/12 (Digital Rights Ireland and Seitlinger and Others), which declared the Data Retention Directive to be invalid. This does not suggest that the Court is carrying out judicial activism in favor of informational privacy, since the rulings in both cases are justified. It represented a clear message, nevertheless; particularly as far as the Google case is concerned, it is evident that it supported the reform of the EU legal framework on data protection and the introduction of a control right, such as the ‘right to be forgotten’. It makes no surprise, thus, that this right was actually included in the Regulation 2016/679.
Moreover, it is evident that the ruling of the CJEU in this case, which recognized a right to have Google delete links to data that are irrelevant and/or outdated, will have significant repercussions, particularly to Internet companies, such as search engines. Google, shortly after the decision was issued, received certain removal requests; more specifically, an ex-politician seeking re-election demanded to have links to an article about his behavior in office removed, a man convicted of possessing child abuse images also requested links to pages about his convictions to be erased and, a doctor asked for the removal of negative reviews from patients from the results on searches5.
From Google’s perspective this represents a very negative situation, as it received an overflow of removal requests, on the basis of the CJEU decision. In order to cope with it, it created a new process for the erasure of data, namely, a web form through which people can submit their requests for the erasure of links to information regarding them.6 Google reported to have received more than 91,000 requests by July, 2014, which covered a total of 328,000 links, and it approved more than 50% of them, it asked for more information in about 15% of the cases and rejected more than 30% of the applications.7 The way Google handled the removal requests, however, was criticized by EU regulators, since it restricted the removal of Internet links to European sites only and it notified the owners of websites that have been removed from search results when it proceeds to such removal.8
IV. The ECJ decision in the Google Spain case, in particular
The main issue at stake in the Google Spain case was whether the relevant provisions of the Directive might serve as a legal basis for claims of removal of personal data from the list of search names displayed after a search is made on the basis of the name of an individual.
The CJEU considered first the provision of Article 12 (b) of the Directive, which states that ‘Member States shall guarantee every data subject the right to obtain from the controller as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the Directive, in particular because of the incomplete or inaccurate nature of the data’. The list of the reasons that justify such a claim is not an exhausting one, so the Court held that the incompatibility of the processing with the provisions of the Directive may also result from the fact that such data are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary, unless they are required to be kept for historical, statistical or scientific purposes. This is a particular reference to the data quality principle as enshrined in the provisions of Article 6 (1) (c) to (e) of the Directive.9
The Court further made the argument that even initially lawful processing of accurate data may, in the course of time, become incompatible with the Directive where those data are no longer necessary in the light of the purposes for which they were collected or processed.10 It is evident that this line of argumentation is influenced by the provisions of the Draft Regulation establishing the right to be forgotten and shows the commitment of the Court to the data protection reform process.
Subsequently, the Court applied this maxim to the circumstances of the case; it stated in particular that if a request by the data subject is made, in accordance with Article 12 (b) of the Directive, clarifying that the inclusion in the list of results displayed following a search made on the basis of his name of the links to web pages published lawfully by third parties and containing true information relating to him personally is, at this point in time, incompatible with Article 6(1)(c) to (e) of the Directive because that information appears, having regard to all the circumstances of the case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine, then the information and links in the list of results must be erased.11
Further, in case the data subject exercises his/her right to object on compelling legal grounds relating to his/her particular situation to the processing of personal data relating to him/her, according to Article 14 (a) of the Directive, the Court supported the view that where such requests are based on alleged non-compliance with the conditions laid down in Article 7(f) of the Directive, the processing must be authorized under Article 7 for the entire period during which it is carried out.12
The time factor appears to play a role in this case, and thus, the Court found that in such requests it should be examined whether the data subject has a right that the information relating to him/her personally should, at this point in time, no longer be linked to his/her name by a list of results displayed following a search made on the basis of his name.13
The CJEU went even further; it emphasized that the right of the data subject to request the removal of information from the search results of search engines is based on Articles 7 and 8 of the Charter of Fundamental Rights of the EU and these rights override not only the economic interest of the operator of the search engine, but also the interest of the general public in finding information concerning a data subject.
An exception from this rule is made in case the data subject is a public figure, because then the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question.14
Finally, the Court made particular reference to the issue in the main proceedings concerning the display, in the list of results that the internet user obtains by making a search by means of Google Search on the basis of the data subject’s name, of links to pages of the on-line archives of a daily newspaper that contain announcements mentioning the data subject’s name and relating to a real-estate auction connected with attachment proceedings for the recovery of social security debts. The Court’s decision is that, taking into account the sensitivity of this information and the fact that this information had taken place 16 years earlier, the data subject substantiated a right not to have this information linked to his name by means of a list of search results.
The new digital right to digital forgetting has already had quite a success, although its statutory implementation is yet to happen. Search engines have complied with the decision of the CJEU in the Google Spain case and respond to requests for deleting search results. The first company that published a form for deletion requests was Google, but also Bing and Yahoo followed suit.15 Although, in the beginning the removals only took place as regards European versions of Google, it has been extended to all of its domains, as the French data protection authority threatened to impose sanctions on Google if it did not remove search results globally across all versions of its service and not just European domains.16 Naturally, once the GPDPR enters into force, the right to be forgotten will acquire a wider dimension, covering a multitude of internet services.
Alsenoy, B., Van/Kuczerawy, A./Ausloos, J., Search engines after Google Spain: internet@liberty or privacy@peril?, ICRI working paper 15/2013, online available at: https://www.law.kuleuven.be/icri/ and http://ssrn.com/link/ICRI-RES.html.
Ausloos, J., The 'Right to be Forgotten' Worth remembering?, (2012) Computer Law & Security Review 28, pp. 143-152.
Bernal, P., Internet Privacy Rights. Rights to Protect Autonomy (2014) Cambridge University Press.
Blanchette, J. -F./Johnson, D.G., Data Retention and the panoptic society: The social benefits of forgetfulness, (2002) The Information Society: An International Journal, vol. 18, issue 1.
Conley, C., The Right to Delete, AAAI Spring Symposium Series, North America, (2010), online available at: http://www.aaai.org/ocs/index.php/SSS/SSS10/paper/view/1158/1482
Costa, L./Poullet, Y., Privacy and the regulation of 2012, (2012) Computer Law & Security Review 28, pp. 254-262.
Danagher, L., An Assessment of the Draft Data Protection Regulation: Does it Effectively Protect Data?, (2012) European Journal of Law and Technology vol. 3, No. 3, online available at: http://ejlt.org//article/view/171/260.
Fleischer, P., Foggy Thinking About the Right to Oblivion, Privacy...? (Mar. 9, 2011), online available at: http://peterfleischer.blogspot.com/2011/03/foggy-thinking-about-right-to-oblivion.html.
Hert, P. De/Papakonstantinou, V., ‘The proposed data protection regulation replacing Directive 95/46/EC: a sound system for the protection of individuals’, (2012), Computer Law & Security Review, issue 2, vol.28, pp.130 – 142.
Hornung, G., A General Data Protection Regulation for Europe? Light and Shade in the Commission's draft of 25 January 2012, (2012) scripted vol. 9, issue 1, 2012.
Iglezakis, I., The right to digital oblivion and its restrictions (2014), Sakkoulas ed. (in Greek).
Koops, B.–J., Forgetting Footprints, Shunning Shadows. A Critical Analysis of the “Right to Forgotten” in Big Data Practice, (2011) scripted vol. 8, Issue 3, Dec. 2011.
Kuschewsky, M., Sweeping Reform for EU Data Protection, (2012) European Lawyer, 112, pp. 12 et seq.
Luhmann, N. Social Systems (1995), Stanford University Press.
Mayer-Schönberger, V., Delete: The Virtue of Forgetting in the Digital Age (2009), Princeton University Press.
Mandelero, A, U.S. Concern about the European Right to Be Forgotten and Free Speech: Much Ado about Nothing? (2012), Contratto e impresa, pp. 727-740, online available at: http://porto.polito.it/2503514/
Mitrou, L./Karyda, M., EU's Data Protection Reform and the Right to be Forgotten: A Legal Response to a Technological Challenge? (February 5, 2012). 5th International Conference of Information Law and Ethics 2012, Corfu-Greece, June 29-30, 2012, online available at SSRN: http://ssrn.com/abstract=2165245
Reding, V., The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age, Munich 22 January 2012, Speech/12/26.
Rosen, J., Free Speech, Privacy, and the Web that Never Forgets, (2011) 9 J. on Telecomm. and High Tech. L. 345.
Rosen, J., The Right to Be Forgotten, 64 Stan. L. Rev. Online 88, February 13, 2012, online available at: http://www.stanfordlawreview.org/sites/default/files/online/topics/64-SLRO-88.pdf
Rouvroy, A., Reinventer l'art d'oublier et de se faire oublier dans la de l'information? version augmentée, (2008) online available at: http://works.bepress.com/antoinette_rouvroy/5/
Traung, P., The Proposed New EU General Data Protection Regulation, (2012) CRi, issue 4, pp. 33-49.
Werro, F., ‘The Right to Inform v. the Right to be Forgotten: A Transatlantic Clash’, in: Aurelia Colombi Ciacchi, Christine Godt, Peter Rott, Leslie Jane Smith, (eds.), Liability in the Third Millenium, F.R.G., 2009, online available at: SSRN: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1401357
Xanthoulis, N., Conceptualising a Right to Oblivion in the Digital World: A Human Rights-Based Approach (2012), online available at SSRN: http://ssrn.com/abstract=2064503
Ambrose, M.L./Friess, N./Matre,J.V., Seeking Digital Redemption: the Future of Forgiveness in the Internet Age, Santa Clara Computer and High Technology Law Journal, Vol. 29 (2012).
Andrade, N. G. de, Right to Personal Identity: The Challenges of Ambient Intelligence and the Need for a New Legal Conceptualization, in: S. Gutwirth et al (eds), Privacy and Data Protection. An Element of Choice (2011), pp. 65-97.
Blanchette, J.-F., The Noise in the Archive: Oblivion in the Age of Total Recall, in Gutwirth S. et al.(ed.), Computers, Privacy and Data Protection: an Element of Choice (2011), p. 25 ff.
Castellano, P, S., The right to be forgotten under European Law: A Constitutional debate, Lex Electronica, vol. 16.1 (Winter 2012).
Giannakaki, M., The right to be forgotten in the era of social media and cloud computing, in: Akrivopoulou C. and Garipidis N. (ed.), Human Rights and Risks in the Digital Era: Globalization and the Effects of Information Technologies, 2012, p. 11 ff.
Mayer-Schönberger, V., Usefull Void: The Art of Forgetting in the Age of Ubiquitous Computing, Working paper RWP07, John F. Kennedy, School of Government, Harvard University, April 2007, online available at: http://www.vmsweb.net/attachments/pdf/Useful_Void.pdf
Szekely, I., The Right to Forget, the Right to be Forgotten. Personal Reflections on the Fate of Personal Data in the Information Society, in: S. Gurwith et al (eds.), European Data Protection: In Good Health?, 2012.
Terwangne, C. de, Internet Privacy and the Right to Be Forgotten/Right to Oblivion, (2012) IDP Numero 13, pp. 109-121.
Walker, R., K., The Right to Be Forgotten, (2012) Hastings Law Journal, Vol. 64:101, pp. 257-286.
Warren, S & Brandeis, L., ‘The Right to Privacy’, (1890) Harvard Law Review, Vol. IV, December 15, 1890, No. 5.
Weber, R.H., The Right to Be Forgotten More Than a Pandora’s Box?, (2011) Jipitec 2, no. 2 (July 26), online available at: http://www.jipitec.eu/issues/jipitec-2-2-2011/3084
Zittrain, J. L., The Future of the internet, And How to stop it, Virginia, Yale University Press 2008.
2. http://www.googleguide.com/cached_pages.html, http://www.cachedpages.com/, http://www.viewcached.com/
4. In the conclusions agreed on at the European Council Meeting in Brussels it is mentioned that new EU data protection rules and a new cyber security framework are to be adopted "by 2015", see: http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/139197.pdf
5. See J. Wakefield, Politican and paedophile ask Google to ‘be forgotten’, bbc.com, 15 May 2014, http://www.bbc.com/news/technology-27423527
6. ”Google launches 'right to be forgotten' webform for removal requests”, theguardian, Friday 30 May, 2014, www.theguardian.com
7. See Dave Lee, Google faces data watchdogs over 'right to be forgotten', http://www.bbc.com/news/technology-28458194
8. See J. Fioretti, Google under fire from regulators on Eu privacy ruling, Reuters, July 24, 2014.
9. Case C-131/12, nr. 92-95.
10. Op. cit., nr. 93.
11. Op. cit., nr. 94.
12. Op. cit., nr. 95.
13. Op. cit., nr. 96.
14. Op. cit., nr. 97.
15. See ‘Microsoft and yahoo respond to European ‘right to be forgotten’ requests’, thequardian, 1 Dec. 2014, https://www.theguardian.com/technology/2014/dec/01/microsoft-yahoo-right-to-be-forgotten
16. See ‘Google to extend ‘right to be forgotten’ to all its domains accessed in EU’, the guardian 11 Febr. 2016, https://www.theguardian.com/technology/2016/feb/11/google-extend-right-to-be-forgotten-googlecom