The GDPR and the Right to Be Forgotten
As of 25 May 2018, the General Data Protection Regulation (GDPR) directly applies to all EU member states, aiming to (1) provide a unified high standard of data protection for individuals in the EU and (2) embrace businesses by replacing the patchwork carpet of 28 national data protection laws with a single catalog of rules. Not least because of the dramatically increased fines of up to the higher of EUR 20 million or 4% of worldwide annual turnover, data protection has finally made its way directly to board level.
The GDPR combines existing principles (such as data minimization and purpose limitation) and new ideas (such as the concept of privacy by design and privacy by default, setting data protection considerations also at the development phase of new technologies and requiring the most data-protection-friendly pre-settings). Further, the GDPR has significant transparency requirements, bringing with it the challenge of comprehensively informing data subjects about data processing while at the same time trying to avoid information fatigue.
Although an EU legislative act, the GDPR is seen by some as globally applicable. In fact, it may already apply if the EU market is targeted, that is, by offering goods or services to individuals in the EU (not necessarily EU nationals) or monitoring their behavior in the EU, even if a company does not even have an establishment (which could be an office but has to be assessed in each individual case) in the EU. As a side note, to date there is no official guidance on how to interpret this extraterritorial applicability of the GDPR clearly, leaving legal uncertainties to non-EU businesses with any kind of relation to the EU. A large part of the GDPR focuses on the rights of data subjects, most of which already existed in pre-GDPR times. In the GDPR, these rights are largely being reshaped and strengthened, whereas one specific right might be of particular interest, especially for individuals with a certain exposure to the public: The right to be forgotten (Article 17 GDPR), which is an extended right to have data deleted in certain scenarios.
The right to be forgotten is supposed to support an autonomous development of individuals’ lives without being stigmatized by a specific action performed in the past that is still digitally available online to the public.
Before the internet even existed, people who made mistakes — from embarrassing pictures to other wrongdoings — that ended up in the news eventually benefitted from natural human oblivion, as (mis)conducts usually slipped out of the public consciousness. Nowadays, even little misdemeanors may continue to appear on the results pages of search engines forever and may fundamentally hinder the personality development of the affected persons due to public stigma.
The Rise of the Right to Be Forgotten
In 2014, the European Court of Justice (ECJ), the highest court in the EU, legally solidified the right to be forgotten when it decided that European citizens may in some cases have the right to request a delinking of certain hyperlinks in search results provided by search engines. In the case at hand, a Spanish data subject had experienced financial difficulties in the past, stories about which had found their way into an online newspaper. He requested Google to stop linking to these articles in its search results. The ECJ held that search engines have an obligation to remove links to personal data that are inadequate, irrelevant, no longer relevant, or excessive. Since this landmark ruling, Google has, so far, delisted 44% of 2.6 million URL removal requests, according to its newest transparency report. Almost 90% of those removal requests originate from private individuals, whereas 1.4% of the requests come from public figures (such as prominent people).
However, even if Google deletes the link from its search results, the original information continues to exist and could be further accessed (for example through the original URL, or by other search engines or social media sharing).
Exercising the Right to Be Forgotten
With the tailwind of the ECJ ruling, EU lawmakers poured an even stronger version of this “right to erasure” (as its official term) into the GDPR in the shape of a three-step right (Article 17 (1)–(3) GDPR).
As a first step, data subjects may request the deletion of their personal data from the data controller (for example the operator of the relevant website), choosing from a list of reasons for erasure. This list generally covers cases where data processing changed from being initially lawful to unlawful, such as when the processing purpose has ceased to exist or the data subject has revoked its consent.
The actual right to be forgotten is introduced in the second step. If the data controller has made public the data concerned, it has to inform other data controllers processing this data about the relevant request to be forgotten. What appears to be a strong sword for data subjects rather proves to be a toothless tiger as the data controller shall only take “reasonable steps” to approach other data controllers in that regard.
A list of exceptions to both prior steps marks the third step, as almost no right is granted unconditionally. Hence, the data subject is forced to accept that its data will remain out there if there are more protection-worthy opposing interests, for example freedom of expression and information, legal obligations, or public health. However, the opposing interests must always be weighed in each individual scenario.
A vivid example of such weighing has recently been given by the European Court of Human Rights, when it decided between the right to personality and the public interest in being reasonably informed about major events, such as capital crimes. Although the Court, not being an EU institution, does not rule under EU law (including the GDPR), it held that the applicants, even after their release from prison many years after being sentenced for the murder of a famous German actor, have no right to have relevant media coverage deleted from various online archives. The fact that the applicants, while being in prison, approached the media themselves to reach a reopening of the trial and therefore deliberately caused even more media coverage did push the right to be forgotten even further away in the eyes of the judges.
The Right to Be Forgotten as an International Human Right
The concept of the right to be forgotten is also emerging in other regions of the world, such as Asia, with courts in Japan quite actively defining its shape and relevant guidelines being released in South Korea. In the US, legislative initiatives face some resistance as, for historical reasons, freedom of expression is of particular importance (according to the First Amendment) and potential censorship by implementing such a right is feared. However, with this concept gaining more acceptance throughout the world, one day the right to be forgotten may be seen as an international human right, as already discussed by some today.
The concept of the right to be forgotten is also emerging in other regions of the world, such as Asia, with courts in Japan quite actively defining its shape and relevant guidelines being released in South Korea
Under the GDPR, the internet may indeed be written in pencil, and not ink, in some cases. However, a thin line between conflicting interests must always be drawn in each case. Nonetheless, the right to be forgotten under the GDPR fulfills an important function in a digitized world and may help avail individuals of greater and faster justice.