In the internet age, when vast amount of information can be stored indefinitely and can be easily retrieved by means of a mouse click, controlling one’s personal data seems a particularly difficult task to do.
Complete erasure of data from digital memory once it becomes publicly available is questionable from technological and practical point of view. As a result, the burden of remembering past events and behavior after they have lost their relevance and permanent digital accessibility of information can have significant implications for individuals at the present time.
While the internet and digitization has brought about huge benefits in terms of access to wide range of information, content-creation and public dissemination, its major downside is losing control on one’s personal data and the difficulties related to forgetting. In his book “Delete: The Virtue of Forgetting in the Digital Age” Viktor Mayer-Schoenberger points out:
“Since the beginning of time, for us humans, forgetting has been the norm and remembering the exception. Because of digital technology and global networks, however, this balance has shifted. Today, with the help of widespread technology, forgetting has become the exception, and remembering the default“.
The debate over achieving a balance between privacy and freedom of expression has reached its highest level in the internet age. Some argue that removing lawfully published information from search results might pose the risk of Orwell’s dystopian history-rewriting. However, on the other hand, individual’s interest in controlling their personal data, leaving the past behind, and removing the past burden should not be underestimated.
The General Data Protection Regulation (GDPR), which became applicable on 25 May 2018, tries to answer the challenges emerged as a result of technological advancements in the digital age. Apart from ensuring uniform rules regarding personal data protection throughout the European Union (as the directive 95/46/EC by its nature left certain leeway to the states in terms of its implementation), the GDPR provides some additional guarantees, such as a clearer formulation of the right to erasure (right to be forgotten) which is probably one of the most controversial and hotly debated issues within the scope of the GDPR. Right to erasure (right to be forgotten) guarantees deletion of data when an individual no longer wants their data processed and there is no legitimate reason to keep it.
Although Directive 95/46/EC does not explicitly guarantee “the right to be forgotten”, in the widely known Google Spain judgment the Court interpreted legal provisions of the Directive in such way which made it possible to satisfy the data subject’s complaint. In particular, the Court relied on data subject’s right of access to data (the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive) as well as data subject’s right to object, which obliged the operator of a search engine to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person.
Right to erasure (“right to be forgotten”) guaranteed by Article 17 of the GDPR empowers the data subject “to obtain from the controller the erasure of personal data concerning him or her without undue delay”, and obliges the controller “to erase personal data without undue delay”. This provision is applicable when certain grounds determined by the Regulation exist, including when the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing.
One of the basis for erasing personal data is the data subject’s objection to the processing when there are no overriding legitimate grounds for the processing (Article 17(1)(c)). Notably, in such case the obligation of demonstrating compelling legitimate grounds is imposed upon the controller. While according to the Data Protection Directive, the data subject had to demonstrate “compelling legitimate grounds relating to his particular situation” and processing should no longer involve those data in case of a justified objection (Article 14(a)), according to the GDPR, “the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims” (Article 21(1)).
Article 17 of the GDPR imposes obligations upon the controller which according to the definition provided in Article 4 “alone or jointly with others, determines the purposes and means of the processing of personal data.” Further, apart from erasing personal data, additional duties are foreseen by the Regulation when the controller has made the personal data public: “The controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data” (Article 17(2)). Notably, the GDPR foresees certain exceptions from the above mentioned provisions, including when processing is necessary for exercising the freedom of expression and information, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, etc. (Article 17(3)).
Despite the significance of the efforts aimed at ensuring the data subject’s control over their own personal data, the very nature of the internet and constantly developing technologies might still pose certain legal and practical challenges in achieving the aims of being forgotten. In Google Spain the Court itself stressed
“the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation” (paragraph 84).
Indeed, once information is made publicly available, tracking personal data, controlling their further replication and their subsequent total erasure might seem practically impossible. Moreover, Google Spain is also a good illustration of the so-called “Streisand effect”, as the Spanish citizen who wanted to be forgotten ended up in publicizing his personal information more widely.
Probably, the practical difficulty of total erasure is the major rationale behind the focus of the GDPR on taking reasonable steps and obliging the controller to communicate erasure of personal data “to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort” (Article 19).
One of the important issues related to the enforcement of the right to be forgotten is the territorial scope of the Regulation and its applicability to companies incorporated outside the EU. Similar to the Data Protection Directive, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller in the Union. Furthermore, the Regulation explicitly stresses that this rule is applicable “regardless of whether the processing takes place in the Union or not” (Article 3(1)). According to Recital 22, establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
Additionally, the GDPR determines that the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union are subject to the GDPR where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union (Article 3(2)).
Therefore, companies based outside the EU are not released from data protection obligations imposed by the GDPR when offering goods or services, or monitoring behavior of data subjects within the EU, which ensures significant extraterritorial reach of the GDPR.
Broad territorial scope of the GDPR together with high administrative fines in case of infringements of the Regulation (Article 83) is viewed as a strict regime by privacy sceptics and has given rise to a debate. However, on the other hand, there is no doubt that the legal framework should be adjusted in order to answer modern-day privacy challenges. In parallel with technological developments, privacy concerns increase which necessitates the emergence of appropriate safeguards and legal regulation.
Proportionality remains the significant principle which is explicitly guaranteed by the GDPR. In particular, Recital 4 declares that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” Furthermore, Article 85 of the GDPR refers to exemptions and derogations for processing carried out “for journalistic purposes and the purposes of academic, artistic or literary expression” if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.
When enforcing the right to be forgotten in the online world, important questions arise whether the information should be removed globally. Google Spain judgment and its legal implications are of particular significance in this regard. In response to the requests submitted regarding removing certain URLs, Google started to delist links from all European versions of Google Search (like google.de, google.fr, google.co.uk, etc) simultaneously. Moreover, Google also started to use geolocation signals (like IP addresses) to restrict access to the delisted URL on all Google Search domains, including google.com, when accessed from the country of the person requesting the removal. However, the French data protection authority required Google to apply the right to be forgotten to all searches on all Google domains. Following the reference by French court, the Court of Justice has to decide on the question whether the ‘right to de-referencing’ be “interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted”. It should be noted that the global removal of information might produce negative consequences worldwide. As stressed by Google, “how long will it be until other countries – perhaps less open and democratic – start demanding that their laws regulating information likewise have global reach?”
Guaranteeing the right to erasure under the GDPR cannot be considered as a silver bullet answer to the risks and challenges of the internet age, however, the value of the overall aim of the regulation – increased control of individuals of their personal data – should not be underestimated. Can we have a realistic expectation of privacy online and how much valuable information might be lost in translating legal requirements into practice? – Probably these questions gain more and more relevance, and necessitate taking due account of the very nature and the challenges of the internet age.
Ketevan Kukava, PhD Student in Law, Tbilisi State University
This post originally appeared on the EU Law Analysis blog and is reproduced with permission and thanks.