Right To Be Forgotten
Module 5: Trends in Censorship by Private Actors
Overview of the right to be forgotten
The right to be forgotten, which is also described as the right to be delisted, or the right to erasure, involves an entitlement or right to request that search engines remove links to private information taking into account the right to privacy weighed against public interest considerations.(1) This right was given prominence following the 2014 Court of Justice of the European Union (CJEU) judgement in Google Spain SL v Agencia Española de Protección de Datos (Google Spain case).(2) This judgement has altered the online privacy landscape and has far reaching legal implications.
In brief, Mr Gonzalez, a Spanish national, took issue with the fact that when internet users searched his name on Google, the search results revealed a news story from 1998 regarding his debt. He requested that the personal information be removed as the matter had been resolved and was no longer relevant. The findings of the CJEU can briefly be summarised as follows:
- The CJEU held that it has jurisdiction to adjudicate the matter, search engines are data controllers, and the right to be forgotten means that personal information that is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing” must be erased by the search engine.
- The CJEU, however, ruled that the right to be forgotten should not apply to information that is relevant for the public interest.
This wide discretion for search engines to balance the competing elements of relevance and the public interest left some digital rights activists, such as Access Now concerned. The decision also triggered a debate regarding the tension between the right to privacy and the right to freedom of expression and access to information. Some privacy proponents welcomed the legal development for creating space for people to have some level of control over their personal information, arguing that it “restores the balance between free speech and privacy in the digital world.”(3) Others were more circumspect, noting concerns that when information is delisted it affects other fundamental rights, including freedom of expression and the right to receive and impart information and ideas.(4)
Evolution of the right to be forgotten
Following from the abovementioned judgment, the right to be forgotten has been recognised in domestic contexts,(5) regional legislation and again by the CJEU. In 2018, Google published its Transparency Report revealing that 43% of the 2.4 million requests from users to be “forgotten” have been successful. The relevance of this new right cannot be disputed; however, its scope, applicability and effects are still being debated.
In May 2018, the European Union (EU) elevated the status of the right through article 17 of the General Data Protection Regulation. Article 17 provides data subjects with the right of erasure of their personal data from search engines. It further obliges search engines to erase personal data without undue delay subject to listed grounds. When erasure is required, article 17(2) stipulates that all reasonable steps must be followed — taking into account the available technology and the cost of implementation — to inform all controllers processing the personal information that any links, copies or replication of the personal data should also be erased. Article 17(3) includes the instances when the right to be forgotten does not apply, namely for exercising the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research or statistical purposes; or for the establishment, exercise or defence of legal claims.
Further jurisprudential developments on the right to be forgotten
In September 2019, the CJEU handed down a further ruling in Google LLC v Commission Nationale de l’Information et des Liberties (CNIL). The case dealt with whether a de-listing order made in a member state of the EU meant that the search results had to be removed from all the search engine’s domain name extensions globally.
By way of background, in 2015, the French Data Protection Agency (CNIL) requested Google to globally remove informing concerning a data subject. Google refused and limited its removal only to EU member states, resulting in CNIL fining Google. Google appealed this decision. Many interested parties, including Wikimedia, Microsoft, governments of EU member states and civil society actors made submissions to the CJEU. The CJEU acknowledged that the right to be forgotten is not globally recognised and that the competing interests between the right to privacy and freedom of expression are balanced differently across the world.
Ultimately, the CJEU found that where a search engine operator has granted a de-listing request of a data subject in an EU member state, there is no obligation under EU law for a search engine operator to be ordered to implement the de-listing on all versions of its search engine globally. The CJEU further noted that while EU law does not require de-referencing from all versions of a search engine, such a practice is not prohibited. A judicial authority of a member state remains competent to weigh up – in the light of national standards of protection of fundamental rights – a data subject’s right to privacy and the protection of personal data concerning them, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.
“This ruling is a victory for global freedom of expression. Courts or data regulators in the UK, France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see. The Court is right to state that the balance between privacy and free speech should be taken into account when deciding if websites should be de-listed – and also to recognise that this balance may vary around the world. It is not right that one country’s data protection authorities can impose their interpretation on Internet users around the world.”
The careful navigation of balancing privacy rights against freedom of expression will continue to pose challenges as the digital landscape continues to evolve.(6)
The extra-territorial scope of the right to be forgotten
In many ways the CJEU clarified the extra-territorial scope of the right to be forgotten. States are still entitled to, at their discretion, develop the content of this right within their respective jurisdictions, and are still at liberty, as acknowledged by the CJEU, to adopt different approaches when balancing the right to privacy and the protection of personal data, on the one hand, and the right of access to information of internet users on the other – provided such an approach is compliant with international human rights norms.
Opportunities and risks
The right to be forgotten can provide important protections for privacy and can fulfil an important role in promoting agency and autonomy. State and non-state actors have far reaching powers when it comes to the online personal information and identity of individuals. Allowing individuals to have some ownership of their personal information gives them some control of their digital identities. The majority of online personal information has no bearing on public interest considerations and has far more intrinsic value to the individual than society at large. The current jurisprudential and legislative developments in this regard have been sensitive to this, recognising the difference between what is of value to an individual, what is interesting to the public and what is in the public interest.
There were concerns that an “overly expansive right to be forgotten will lead to censorship of the Internet because data subjects can force search engines or websites to erase personal data, which may rewrite history.”(7) In some instances, it is permissible for individuals not to be indefinitely defined by their past. The Google Spain judgment provides some direction on this, where it recognised the need for relevant considerations to take place – such as the nature and sensitivity of the information, the public interest and the role played by the data subject in public life – when finding a fair balance between the right of the data subject and the interests of internet users. Shortly after the Google Spain judgment, Google received an array of requests from people to have articles of their past removed from the search engine. Google’s 2017 Transparency Report provided some guidance on how it has dealt with requests, providing examples of some of the outcomes of requests for erasure. Some responses to politician’s requests stated “[w]e did not delist the URLs given his former status as a public figure”, while another stated “[w]e delisted 13 URLs as he did not appear to be currently engaged in political life and was a minor at the time.” ARTICLE 19 explains that, from a child’s rights perspective, binding children to negative aspects of their past can “impede their development and diminish their sense of self-worth”.
There are legitimate benefits that accompany the right to be forgotten; however, there are also risks associated with the right, in particular around enforcement of rights and the adverse effect this can have on the right to freedom of expression.(8) A lack of cogent regulatory safeguards can result in search engines becoming the “judge, jury and executioner” of the right to be forgotten.(9) There are risks involved in conferring such a decision making power on a private entity, particularly given the need to balance competing rights, an exercise traditionally reserved for courts.(10) The Electronic Frontier Foundation expressed concern that the “ambiguous responsibility upon search engines” will censor the internet.
Ensuring adequate safeguards when implementing the right to be forgotten
Access Now has provided some guidance on ensuring clear safeguards for the implementation of the right to be forgotten:
- A right to de-list must be limited to the sole purpose of protecting personal data.
- Criteria for de-listing must be clearly defined in comprehensive data protection legislation to avoid interference with human rights.
- Competent judicial authorities should interpret standards for determining what is de‑listed.
- The right to de-list must be limited in scope and application.
- Search engines must be transparent about when and how they comply with de-listing requests.
- Users must have easy access to a remedy.
The right to be forgotten brings to the fore the tensions between the right to privacy and the right to freedom of expression, and given the rapid pace at which digital space is changing, it is likely that these tensions will persist. Provided public interest overrides are prioritised and adequate safeguards are put place, there can be some degree of consonance.