Right to be Forgotten, privacy law, GDPR, Google Spain, data protection, digital privacy, data erasure, freedom of expression, personal data, EU regulations, public interest, search engines, data subjects, right to erasure.
Introduction
The "right to be forgotten" emerged as a cornerstone of privacy law, highlighting the tension between an individual's rights to privacy and data protection and broader societal values such as freedom of expression and access to information. Its prominence rose following the landmark Google Spain[1] judgment, a decision that pre-empted several elements of the General Data Protection Regulation 2016 (GDPR). This judgment not only reshaped data protection law but also underscored the challenges of applying traditional legal principles in the digital age.
What is the Right to Be Forgotten?
The RTBF can be defined as the right of individuals, referred to as "data subjects", to have personal information removed from search engine results or online directories. It is a subset of the broader right to privacy, focusing not on undisclosed personal data but on publicly accessible information that individuals wish to delist.
Origins of the Right to Be Forgotten
While the RTBF gained global recognition in the digital era, its roots lie in earlier legal principles. Laws like the UK’s Rehabilitation of Offenders Act and France’s le droit à l’oubli (right to oblivion) sought to prevent outdated criminal records from impeding an individual’s social reintegration. These early provisions focused on protecting individuals from undue reputational harm caused by obsolete or irrelevant information.
The modern interpretation of the RTBF emerged with the rise of internet search engines, which transformed how personal data was disseminated and accessed. In 2014, the Court of Justice of the European Union (CJEU) established a pivotal precedent in Google Spain SL v. Agencia Española de Protección de Datos (AEPD)[2]. This landmark ruling recognized the RTBF as a fundamental human right, obligating search engines to honor valid requests for data removal under certain conditions.
Foundations in the Data Protection Directive 1995
The roots of the right to erasure are embedded in the EU Data Protection Directive 1995, which granted individuals the ability to request data erasure or blocking where its processing violated Directive provisions. Specifically:
- Inaccuracy or Incompleteness: The Directive empowered individuals to challenge personal data that was inaccurate or incomplete.
- Substantial Damage or Distress: Section 10[3] of the UK's Data Protection Act 1998 (DPA98), which implemented the Directive, allowed individuals to object to processing likely to cause unwarranted harm.
- Data Protection Principles: The Directive emphasized that personal data must be accurate, up-to-date, necessary for its stated purpose, and not excessive.
However, these provisions fell short of creating a clear-cut "right to be forgotten." Notably, the Directive included exceptions for journalistic, artistic, or literary purposes, prioritizing public interest and freedom of expression.
Challenges in a Digital World
The rise of the internet magnified the limitations of the Data Protection Directive. Information became globally accessible and persistently retrievable, often residing outside EU jurisdictions. This created enforcement challenges, particularly concerning data published by entities like search engines operating across borders.
The Google Spain Case: A Turning Point
The 2014 judgment in Google Spain v. AEPD and Mario Costeja González[4] was a watershed moment in data protection law. The Court of Justice of the European Union (CJEU) established that:
- Search Engines as Data Controllers: Search engines process personal data and are thus subject to data protection law.
- Extended Territorial Scope: EU data protection laws applied even when processing occurred outside the EU.
- Right to Be Forgotten: Individuals could request the removal of outdated or irrelevant information from search results, barring a public interest in retaining the data.
This decision prioritized privacy rights over freedom of expression and access to information, sparking debates about its implications for free speech and the public's right to know.
Implications and Aftermath
Search engines faced a deluge of deletion requests post-Google Spain. By late 2014, Google alone had evaluated nearly half a million URLs, removing 41.8% of them. The Article 29[5] Working Party (WP29) provided guidance, advocating for global de-listing to protect individuals' rights comprehensively.
Despite this, enforcement varied:
- French CNIL's Stance: The CNIL fined Google €100,000 for limiting de-listing to EU domains and advocated global removal.
- Advocate General’s Opinion (2018): The AG opposed global de-listing, emphasizing the need for a balanced approach that respects other jurisdictions' rights to access information.
The GDPR Era: Consolidating the Right to Be Forgotten
Building on Google Spain,[6] the GDPR codified and expanded the right to erasure, ensuring its applicability in the modern digital landscape. Key provisions include:
Territorial Scope (Article 3)[7]
The GDPR applies to any processing of EU citizens' data, irrespective of where it occurs, if the processing relates to goods or services offered within the EU or monitors EU citizens' behavior.
Principles of Data Processing (Article 5)[8]
Controllers must ensure data is accurate and promptly rectified or erased if it becomes outdated or irrelevant.
Legal Framework: The GDPR and Article 17
The EU solidified the RTBF under the General Data Protection Regulation (GDPR), adopted in May 2018. Article 17[9] of the GDPR outlines the right to erasure, granting individuals the ability to request the deletion of personal data when:
- The data is no longer necessary for the purpose it was collected.
- Consent for processing has been withdrawn.
- The data was unlawfully processed.
- The data subject objects to processing, and no overriding legitimate grounds exist.
- The data must be erased to comply with a legal obligation.
Organizations must address these requests promptly, generally within one month, and are required to establish procedures to verify the identity of the requesting party.
Controllers must also notify third parties of erasure requests if the data was made public, with exceptions for freedom of expression, legal obligations, public health, and archival purposes.
Balancing Rights: Privacy vs. Freedom of Expression
The GDPR and subsequent rulings stress the need for a nuanced approach that balances privacy with freedom of speech. Exceptions under Article 17(3)[10] and Member State discretion ensure this equilibrium.
The RTBF has ignited intense debate about its implications for freedom of expression and the public’s right to access information. Critics argue that the RTBF may encourage censorship, allowing individuals to suppress information of legitimate public interest. Proponents counter that it is a necessary safeguard against reputational harm, particularly when outdated or inaccurate data disproportionately affects individuals.
The GDPR provides a framework to balance these competing interests. Exceptions to the RTBF include cases where data is necessary for:
- Exercising freedom of expression and information.
- Performing tasks in the public interest, such as research or historical documentation.
- Establishing or defending legal claims.
Global Challenges and the Path Ahead
The debate over global de-listing reflects the broader tension in harmonizing data protection rights with international norms. While EU rulings like Google Spain[11] have set high privacy standards, achieving global consensus remains a challenge.
The RTBF is a uniquely European construct, rooted in the EU’s prioritization of personal privacy. In contrast, the United States emphasizes free speech, often prioritizing the “right to know” over individual privacy concerns. Other jurisdictions, such as Canada, Brazil, and India, are exploring similar provisions, but their approaches vary significantly.
As the RTBF gains international attention, efforts to harmonize global data protection standards may shape its future development. Initiatives like the World Economic Forum’s Global Coalition for Digital Safety aim to reconcile privacy rights with freedom of expression in an interconnected world.
Conclusion
The right to be forgotten encapsulates the evolving nature of privacy law in a digital world. From its origins in the Data Protection Directive to its crystallization in Google Spain[12] and its consolidation under the GDPR, this right illustrates the ongoing struggle to balance individual privacy with collective freedoms. As technology advances, the interplay between these rights will continue to shape the legal landscape, necessitating adaptability and nuanced policymaking.
[1] C‑131/12, ECLI:EU:C:2014:317.
[2] Ibid.
[3] The UK's Data Protection Act, 1998, s. 10.
[4] Supra at 1.
[5] Working Party, art. 29.
[6] Supra at 1.
[7] Article 3 of the General Data Protection Regulation, 2016, art. 3.
[8] Id. at art. 5.
[9] Id. at art. 17.
[10] Id. at art. 17(3).
[11] Supra at 1.
[12] Ibid.