Author: Maria Silvia Martinson, lawyer at RestMark METIDA
Ever since the European Court of Justice’s (ECJ) landmark decision C-131/12 on 13 May 2014, the Right to be Forgotten seems to be the talk of the day. Although more than 3 years have passed, different nuances of the aforementioned right in the context of both current and upcoming regulations of Data Protection in the EU as well as the implications deriving from such provisions and their implementation still seem to be heavily discussed. Since the new EU General Data Protection Regulation (GDPR) becomes applicable in May 2018, replacing the Data Protection Directive 95/46/EC and with it the provisions regulating the Right to be Forgotten, a short recap of the most important points must be in order.
The Right to be Forgotten is an individual’s right to request that his or her personal data be removed from accessibility when there is no justification for its continued processing by the data controller (for example, a company). Columnist Suzanne Moore has even called the Right to be Forgotten the Right to Have an Imperfect Past.
In the European Union, the aforementioned concept was first introduced on a wider scale by the ECJ in their landmark ruling C-131/12. The case revolved around a Spanish citizen who filed a complaint against Google Inc and Google Spain in 2010, because two newspaper pages announcing the forced sale of his home which had been published in 1998 still appeared in Google searches of his name. He claimed that the attachment proceedings had been fully resolved years ago and that the reference to them was now entirely irrelevant, thus requesting that Google remove his personal data so that the pages would no longer appear in the search.
Based on the Data Protection Directive 95/46/EC (especially Article 12), the ECJ stipulated in the aforementioned decision that:
- the indexing of information by a search engine is „processing of personal data“;
- search engines (e.g. Google) are „controllers of personal data“;
- individuals have in principle the right to ask search engines to remove links with personal information about them.
However, it must be noted that the aforementioned right is not absolute in its nature, but applies only if the personal information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing. This also means that even initially lawful processing of accurate data may become incompatible with the Data Protection principles in the course of time.
In practice, each request submitted by an individual needs to be assessed on a case-by-case basis, because the Right to be Forgotten does not necessarily override all other fundamental rights (such as the interest of the public in having certain information, which may be higher when the data subject is, for example, a public figure). Therefore a fair balance ought to be sought between different rights.
By now, many search engines (including Google) have a specialised form that can be filled and directly forwarded to the search engine to request removal of personal data. Interestingly enough, according to the Guardian, up to March 2015, the total number of requests made to Google was 218 320, out of which 46% were satisfied. According to Techworld, since the ECJ decision and as of September 2017 Google has removed more than 800,000 links due to erasure requests, but has kept more than a million in its searches.
However, further changes are on the horizon. As noted above, the new GDPR will replace the current regulation in May 2018. The Right to be Forgotten is stipulated in Article 17 („Right to Erasure“) of the new act and offers a broader and more detailed list of circumstances under which individuals can exercise the right to erase their personal data (e.g. if the data is no longer necessary to serve the purposes for which it was originally processed). The new regulation also flips the burden of proof from the „data subject“ (individual) to the „data controller“ (company). This means that instead of the data subject having to provide legal grounds for objecting, the data controller must show „compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject“ (GDPR Article 21).
Additionally, the GDPR widens the scope of territorial applicability of the Right to be Forgotten by also affecting organisations established outside the EU if they (either as a controller or processor) process the personal data of EU residents when offering them goods or services.
As a conclusion it can definitely be said that the Right to be Forgotten is here to stay and further evolve with the GDPR becoming enforceable. Although the new regulation will make life easier for the individual (and consequentially more difficult for the data controllers) by specifying circumstances which allow requesting erasure of personal data and flipping the burden of proof to the data controller, the practical implications of the changes are yet to be seen. What will surely remain the same is the case-by-case assessment of all erasure requests in order to find the fair balance between different fundamental rights.