CAN THE RIGHT TO BE FORGOTTEN CONFLICT WITH THE PUBLIC'S RIGHT TO INFORMATION?

Guest post by Veronika Hloušková

Regulating Big Tech paper series

3/10/202313 min read

1. Introduction

It seems that the great doctrine of Development rules not only in biology and theology, but in the law as well; so that whenever, in the long process of civilization, man generates a capacity for being made miserable by his fellows in some new way, the law, after a decent interval, steps in to protect him.[1] thus commented the anonymous author of the "Atlantic Monthly" magazine on an article written by Warren and Brandeis, which discusses the concept of a right to privacy as an idea whose time has come. Article 17 of the GDPR is supposed to be the "intervention" to which the law has resorted. The right to be forgotten can thus be seen as the most recent significant outgrowth of the development of the legal protection of the informational aspect of privacy (i.e. the right to informational self-determination).[2] The right to be forgotten, which is regulated in Article 17 of the GDPR, essentially refers to the right of an individual to ask the search engine provider to delete data from past events so that it is no longer visible to third parties.[3] That is allowing individuals to request the erasure of certain information, such as videos, photographs, etc. from the internet to prevent it from being searched by others if it meets at least one of the grounds listed in Article 17 of the GDPR.[4] To begin with, it is essential to emphasise that the right to be forgotten is derived from the fundamental right to privacy, which protects people's interest in having a "personal space" from interference by other persons and organizations. The right to privacy is enshrined in many international human rights instruments, including the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights or the European Convention on Human Rights. The main difference between the right to privacy and the right to be forgotten is that the former entails information that is not publicly available, but the right to be forgotten involves the deletion of information that has been publicly available and published in the past so that third parties cannot access it.[5] However, the usefulness of establishing a right to be forgotten is disputed because, this instrument could be detrimental to international human rights in light of freedom of information. Among other things, there are concerns about its impact on freedom of expression.[6] Neither of these rights should be seen as the counterpart of the other, as it is one of the mechanisms to ensure freedom of privacy.[7] In my essay, I have therefore decided to address the research question, namely the following: Whether the right to be forgotten, as provided in Article 17 of the GDPR, may conflict with the public's right to information.

2. Literature Review

There are many academic articles on Article 17 of the GDPR. In general, the right to be forgotten is discussed in the book The Right to Erasure in EU Data Protection Law by its author Jef Ausloos, who concludes that "The right to data protection not only implies the freedom to proactively control one's personal data, but also safeguards that freedom from being effectively usurped, whether by commercial, technological, or bureaucratic forces."[8]. Furthermore, the issue is addressed in a chapter in the book Privacy and Data Protection Challenges in the Distributed Era[9], which is an equally useful resource for understanding this institution. The potential conflict is then addressed in the article The Right to be forgotten: Striking the Balance between the right to privacy of an individual and the right to information of society[10], which, like other articles[11][12][13], considers the appropriate balance between these rights.

3. Legal framework - Article 17 of the General Data Protection Regulation and analysis of related cases

3.1 Article 17 of the General Data Protection Regulation

Article 17 of the GDPR is concerned with the right to erasure, also known as the right to be forgotten. This right gives individuals the ability as mentioned above to request that their personal data be deleted by a controller (an organization that processes personal data) under certain circumstances, such as if the data is no longer necessary for the purpose for which it was collected, or if the individual withdraws their consent for the processing of their data.[14] Under the GDPR, individuals have the right to request the deletion of their personal data under certain circumstances. These include: a) if the personal data is no longer necessary in relation to the purpose for which it was collected or processed; b) if the individual withdraws their consent for the processing of their personal data and there is no other legal ground for the processing; c) if the individual objects to the processing of their personal data and there are no overriding legitimate grounds for the processing; d) if the personal data has been unlawfully processed; e) if the personal data needs to be deleted in order to comply with a legal obligation.[15] It's worth noting that the right to be forgotten is not absolute, and there may be certain exceptions that allow the controller to retain the personal data, such as if it is necessary for the exercise of the right of freedom of expression and information, or for the establishment, exercise, or defense of legal claims.[16]

3.2 Google Spain SL v. Costeja (C-131/12)

The GDPR is a relatively new regulation and it is likely that case law will be added in the future as controllers and individuals continue to navigate their rights and obligations under the GDPR. First, it should be mentioned a case that helped establish the right to be forgotten as a key component of the GDPR[17], the case of Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González, also known as the "right to be forgotten" case.[18] In this case, the Court of Justice of the European Union ruled that individuals have the right to request that search engines remove references to personal data from search results if those references are inappropriate, irrelevant or no longer relevant or if the processing of the data is unlawful, giving rise to Article 17 of the GDPR.[19]

3.3 GC and Others (C-136/17) & Google v. CNIL (C-507/17)

Two other rulings, I would like to mention, issued by the Court of Justice of the European Union further define the scope of the right to be forgotten in the context of search engines.[20] In GC and Others (C-136/17), the Court held that the search engine operator must verify the lawfulness of the processing of sensitive data only ex post, i.e. after receiving a request to remove a link. The tactical ovation of the GC et al. decision is that if the Court were to interpret the GDPR rigidly, Google's search engine and perhaps many other search engines would be (i.e., continue to be) partially illegal, which is a result that is neither desirable to the Court nor to Google's many search engine users in the EU. [21] Although this decision lowers the level of protection of the right to data protection, it is an act that will help to bring out of the grey area caused by the Court's decision in Google Spain (C-131/12) mentioned above.[22] Very important is the decision in Google v. CNIL (C-507/17). The heart of the case is CNIL's dispute with Google over the extent to which the removal of links in the context of a successful request for oblivion should take place in terms of Google's local search engine domain range. Initially, Google deleted links from the results list exclusively from the local domains of the Member States of the European Union. In the summer of 2015, however, the CNIL invited Google to start deleting links from all language versions of the search engine on the basis of a successful request.[23] Google initially refused to do so[24], but in March 2016 it attempted a compromise consisting in the so-called geoblocation of links to be removed on the basis of a successful request, depending on the location from which the search was made.[25]However, the CNIL was not satisfied with this compromise. On 10 March 2016, it imposed a fine of EUR 100,000 on Google, which Google appealed to the French Council of State. The latter subsequently asked the Court of Justice of the European Union a series of preliminary questions.[26] The Court of Justice of the European Union determined in this case the territorial scope of the right to be forgotten. The Court laid down a general rule on the EU-wide disavowal of a link in the context of measures that prevent or at least seriously impede access to search results outside the EU. EU law therefore does not oblige Google and other search engine operators to apply the European right to be forgotten globally. Thus, non-EU countries have room to strike their own balance between data protection and freedom of information.[27] In both cases, the decision can be seen as a balancing act by the Court of Justice of the European Union in an attempt to reconcile the often very different rights and interests of the subjects concerned.

4. Critical Reflection

As one of the arguments in favour of the right to be forgotten, we can take into consideration that sensitive personal data available in the public domain are insignificant in terms of public interest and have limited intrinsic value. Conversely, if it were to be disclosed, it could result in the destruction of that person's life. If personal information that is unlawfully in the public domain remains open and accessible, it could have any (bad) effect on the individual. In particular, making it harder to get a job, get the credit you want, or generally jeopardize living a decent life.[28] Those who advocate the right to be forgotten argue that it can be exercised in conjunction with the right to freedom of speech and expression. Various provisions can be made to ensure that the individual's right to be forgotten does not infringe on the rights of others.[29] It is also essential to recall that, also in the Costeja case, the Court, in its judgment, took into account concerns about freedom of expression and stated that in some cases where the personal data in question belongs to a public figure, the public's right of access to that information might take precedence.[30] In general, it should be summarized that the mistakes we have made in the past should not be endlessly reminded and given a chance to be corrected. Without the existence of a "right to be forgotten", this can lead to search engines forming a false impression of such a person. A good example of this is given in an article by Vedant M. Maske, which mentions that “In the case of juvenile convicts, this might hamper their development and diminish their sense of self- worth. Even if someone has committed an offense a decade ago, he will still be reminded of his guilt through video, photos, or any other related information available on the internet.[31] The right to be forgotten is also very important in cases involving rape or affecting the modesty and reputation of the persons concerned.[32] In an era when the state is promoting the digital revolution, paperless governance and encouraging individuals to share a significant amount of information about themselves, it is also its duty to protect the right to data protection and privacy. And it is the right to be forgotten that becomes extremely important in such a case because it gives people the opportunity to regain control. There is no doubt that digitalisation is increasing, and so are new emerging threats to data privacy. Thanks to the proliferation of communication technologies, personal data and the identity of individuals have become vulnerable to interference by both state and private actors in the Internet era.[33] It brings us to whether there is a conflict between the rights of the individual and the rights of society. If we accept the right of the individual to be forgotten, we ignore the wider right of the public to share and receive material that is legitimately in the public domain. Also, the classification of personal information based on relevance is ambiguous, and what most people would consider trivial or insignificant information may provide another (for example, historians) with cultural knowledge of great value. Thus, most of those who criticize this right to be forgotten point out, as I noted above, that there are limitations on the right to information. Although the information relates to a particular person, it does not necessarily belong to that person and does not mean that they should have exclusive control over it.[34] In addition, although data protection laws such as the 'right to be forgotten' are necessary in today's world, their application without due procedural safeguards and clarity on their scope can lead to abuse.[35] It is also worth pointing out the statistics which show that 1,352,751 requests for deletion of personal data were submitted to Google, containing 5,259,116 URL links. However, from the beginning (2014) to December 2022, only 49.2% of these requests have been granted (deleted).[36]

5. Conclusion

It is very important to balance the right to be forgotten and the public's right to information and freedom of expression. Nonetheless, I firmly believe that in today's highly digitised world, the right to be forgotten is a useful and important tool that can help individuals to live better lives. We are only human and we make mistakes. If any information is wrongfully disclosed and we should suffer harm from it, it is imperative that there is a way to erase that information from the digital world. The fact that this information is often of no importance to the public, while it can cause serious harm and make life very difficult for individuals, is, in my opinion, a very good indicator. At a time when we are being pushed to have personal and other documents online, it is important that there are adequate safeguards. In principle, I agree with the decision of the Court of Justice of the European Union in Google v. CNIL (C-507/17) case, where it held that "there is no obligation under EU law for Google, and other search engine operators, to apply the European right to be forgotten globally"[37]. As the GDPR is a European regulation, we must leave it to non-EU states to choose their own legislation in this regard. Although freedom of expression and the public's right to information is very important, ultimately, the individual's right to handle his or her own data should play a significant role, and therefore I do not think that these rights are conflicted by Article 17 GDPR, as long as the legislation is clear and balances these rights correctly.

Sources

[1] GLANCY, Dorothy J. Invention of the Right to Privacy, The. Arizona Law Review. 1979, 21(1), 1. p. 6.

[2] GLANCY, Dorothy J. Invention of the Right to Privacy, The. Arizona Law Review. 1979, 21(1), 1. p. 6.

[3] Quillet, E. (2011). The right to digitalization on social networks. Master of Human Rights and Humanitarian Law Directed by Emmanuel Decaux, University year, Panthéon Assas University. p. 901

[4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[5] Marwan Kamel Jomaah Al-Khalidy, & Yaseen Myasar Aziz. (2022). The Applications of The Right to Be Forgetting. QALAAI ZANIST JOURNAL, 7(1), p. 938–955

[6] Marwan Kamel Jomaah Al-Khalidy, & Yaseen Myasar Aziz. (2022). The Applications of The Right to Be Forgetting. QALAAI ZANIST JOURNAL, 7(1), 938–955

[7] Kumar, Ashwinee. (2021). THE RIGHT TO BE FORGOTTEN IN DIGITAL AGE: A Comparative Study of the Indian Personal Data Protection Bill, 2018 & The GDPR. II, 2019

[8] Ausloos, Jef., The Right to Erasure in EU Data Protection Law., 2020

[9] Politou, Eugenia & Alepis, Efthymios & Virvou, Maria & Patsakis, Constantinos. (2022). Privacy and Data Protection Challenges in the Distributed Era.

[10] Maske, V. M., The Right to Be Forgotten: Striking the Balance between Right to Privacy of an Individual and Right to Information of Society. Supremo Amicus, 2022

[11] Kumar, Ashwinee. (2021). THE RIGHT TO BE FORGOTTEN IN DIGITAL AGE: A Comparative Study of the Indian Personal Data Protection Bill, 2018 & The GDPR. II, 2019

[12] Policy brief: The right to be forgotten, ARTICLE 19, 2017

[13] Jure Globocnik, The Right to Be Forgotten is Taking Shape: CJEU Judgments in GC and Others (C-136/17) and Google v CNIL (C-507/17), GRUR International, Volume 69, Issue 4, April 2020, p. 380–388

[14] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[15] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[16] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[17] Post, R. C. (2018). Data privacy and dignitary privacy: google spain, the right to be forgotten, and the construction of the public sphere. Duke Law Journal, 67(5), p. 981-1072.

[18] Court of Justice, judgment of 13 May 2014, case C-131/12, Google Spain and Google.

[19] Court of Justice, judgment of 13 May 2014, case C-131/12, Google Spain and Google.

[20] Jure Globocnik, The Right to Be Forgotten is Taking Shape: CJEU Judgments in GC and Others (C-136/17) and Google v CNIL (C-507/17), GRUR International, Volume 69, Issue 4, April 2020, p. 380–388

[21] Court of Justice, judgment of 8 November 2019, case C-136/17, GC and Others

[22] Court of Justice, judgment of 13 May 2014, case C-131/12, Google Spain and Google.

[23] CNIL orders Google to apply delisting on all domain names of the search engine, May 2015

[24] Implementing a European, not global, right to be forgotten. Google Europe Blog, July 2015

[25] Adapting our approach to the European right to be forgotten. Google, March 2016

[26] Court of Justice, judgment of 24 September 2019, case C-507/17, Google Inc. v. Commission nationale de l’informatique et des libertés (CNIL).

[27] Court of Justice, judgment of 24 September 2019, case C-507/17, Google Inc. v. Commission nationale de l’informatique et des libertés (CNIL).

[28] Kumar, Ashwinee. THE RIGHT TO BE FORGOTTEN IN DIGITAL AGE: A Comparative Study of the Indian Personal Data Protection Bill, 2018 & The GDPR. II, 2021

[29] Maske, V. M. The Right to Be Forgotten: Striking the Balance between Right to Privacy of an Individual and Right to Information of Society. Supremo Amicus, 2022

[30] Court of Justice, judgment of 13 May 2014, case C-131/12, Google Spain and Google.

[31] Maske, V. M. The Right to Be Forgotten: Striking the Balance between Right to Privacy of an Individual and Right to Information of Society. Supremo Amicus, 2022

[32] Maske, V. M. The Right to Be Forgotten: Striking the Balance between Right to Privacy of an Individual and Right to Information of Society. Supremo Amicus, 2022

[33] Maske, V. M. The Right to Be Forgotten: Striking the Balance between Right to Privacy of an Individual and Right to Information of Society. Supremo Amicus, 2022

[34] Policy brief: The right to be forgotten, ARTICLE 19, 2017

[35] Maske, V. M. The Right to Be Forgotten: Striking the Balance between Right to Privacy of an Individual and Right to Information of Society. Supremo Amicus, 2022

[36] Google Transparency Report; European Privacy Request for Search Removal, December, 2022

[37] Court of Justice, judgment of 24 September 2019, case C-507/17, Google Inc. v. Commission nationale de l’informatique et des libertés (CNIL).