In the old days, information would travel by word of mouth. Perhaps, a short report would be written in local newspapers, but many incidents would be forgotten eventually. Nowadays, someone’s drunk photos or unsavoury news can quickly get picked up by many outlets and end up all over the Internet.
This effective spread of information leads to reports of minor transgressions or mishaps staying unduly prominent for years after the incident. This can have catastrophic consequences for your career and quality of life.
The legislators have recognised this issue, and have started implementing various measures to help protect individuals from these potentially catastrophic consequences. One of these measures is the right to be forgotten, or in other words, the right to erasure.
Background
The ‘right to be forgotten’ has so far been enshrined in EU and Argentine law. The legal stipulations, while fairly recent, stem from long-standing ideas, namely those that convictions should and eventually do disappear from the individual’s files after a time. In practice, after a sufficient period of time after an infraction or a conviction has elapsed, the employers, the insurers, and the general public cannot see nor take them into account. Basically, individuals should not be punished repeatedly and indefinitely for their offenses – they should be able to wipe the slate clean.
The rights of individuals to manage their personal data have only become relevant in the last twenty years, but the response of the lawmakers has been anticipatory and quite rapid. In fact, these rights are now considered as basic human rights, thanks to court decisions.
The Costeja Case
The assertion that the right to be forgotten is an essential human right has not been made up by pundits and ‘concerned’ politicians. There is a clear judicial decision affirming it.
The landmark case that affirmed the right to be forgotten is the ‘Google Spain v AEPD and Mario Costeja González’ case before the European Court of Justice. The background of the case involves a repossession of properties due to social security debts, as announced in the local newspaper in 1998. Mario Costeja Gonzales had one such property, and while Googling his name in 2009, he came across the announcements.
He asked Google to remove these results, as they were no longer relevant, since the event had taken place a long time ago. Afterwards, he also lodged a complaint to the Spanish Data Protection Agency asking both Google and the papers to remove the content. The Agency ordered Google, but not the newspapers, to remove the links, but Google would not oblige.
Google claimed it was not under the scope of the Data Protection Directive, it did not process the data, and that the individual does not have the right to erasure in any case, since the material had been lawfully processed.
The Court concluded that search engines also carry out processing, and since Google operates in Spain, it has an establishment in EU countries. This is relevant today in the GDPR as well. Additionally, the Court held that results and information that “appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed” must be removed upon request.
The right has not been explicitly defined, though, but stems from the Data Protection Directive and the Charter of Fundamental Rights of the EU.
The GDPR: Is There Anything New?
The right to be forgotten has already been defined in Article 12 of the Data Protection Directive. The GDPR codifies that right. It applies to non-EU companies as long as they offer services to European consumers, i.e. if they have an establishment in the EU.
The GDPR goes further to ensure that the burden of proof for data retention lies on the data controller, not the individual. If the data controller cannot demonstrate the necessity of keeping such data, it must be deleted.
Controllers who have made one’s personal data public also have to notify third parties of the individual’s wish to have the data deleted, unless it would involve disproportionate effort.
The individual has the right to demand data erasure when data retention is no longer necessary for the purpose for which it was collected. They may withdraw their consent at any time, as well as object to processing. In the event of unlawful processing, data must be deleted immediately.
Fines of up to EUR 10 million or 2 percent of the company’s global annual turnover, whichever is higher, can be levied if these provisions are violated.
Limitations to Erasure
The right to erasure is not absolute. All requests similar to those in the court case should be assessed on a case-by-case basis. Company’s privacy department, with aid of a Data Protection Officer (DPO), should make these assessments.
The right to erasure is very comprehensive, but not absolute.
Companies can refuse to comply with a deletion request if they:
- feel it would violate the right of freedom of expression and information,
- must comply with previously issued legal orders,
- deem data retention as essential for public health and public interest,
- use the data for scientific, historical and statistical research purposes.
The sensible limitation can be seen in the court case as well. The privacy authority did not require the newspapers to remove the articles, since they are truthful and their removal would have a negative effect on the freedom of information.
However, the removal of search links makes the information less ubiquitous, but still accessible by those whom it might concern. The European Commission has repeatedly stressed that this right to erasure is all about striking a balance between personal freedom and the right to freedom of expression.
Practical Concerns
The simplest path for your company would be to erase all data for which you receive a request from the individual. However, this is not always practical nor reasonable. A DPO should help determine the proper course of action.
Take into account the criteria of data accuracy, adequacy and relevance. Note that relevance decreases with passing time. In any case, it is forbidden under the GDPR to retain data unless absolutely necessary for immediate processing purposes, unless covered by the limitations to erasure outlined in the previous paragraph.
Official EU communications indicate that public figures are afforded less rights, since the general public has more interest in accessing (truthful) data on them.
Search Engines in the Spotlight
The companies most hard-hit by this rule will be the search engines, as they inevitably process vast amounts of data and facilitate easy access to information that could be harmful to individuals. Still, other companies that collate and store large amounts of user data should also prepare themselves.
In most cases, deleting public references to data in question will be enough to satisfy the legal requirements of the right to be forgotten. It is unlikely that full erasure of data will be required, especially if the data is technically true and correct. Even if such a thing were demanded, in practice it is hardly possible to locate and delete all copies of a publicly available item in any case.
Still, that applies to open systems such as the Internet. Companies generally operate with their own internal systems where data is stored according to their own policies, and such data must be able to be fully deleted if required.
The most cost-effective way that has already been introduced in some places is the creation of a personal control panel where an individual could directly see and analyse the data they have shared with the company. This both increases trust in the company, reduces the overall administrative burden, and ensures the data is transparently and properly stored, ensuring its accessibility. Data relating to children should be especially marked and afforded significant protections.
Data Expiration
Your company could also enact automatic data expiration policies. Without much user intervention, data can automatically be erased, which means there is a lower risk of data breaches to the company. Make sure to delete data on discarded offline devices as well. Otherwise, the data could resurface. Also, proper access controls are a must. Employees can and do leak data. It only takes a single well-intentioned screenshot to create an avalanche of headaches. Encryption and pseudonymisation are methods you should look into, as the GDPR treats such data preferentially.
Further guidance is pending and should arrive with implementing acts that will clarify the impact on the right to be forgotten, as well as technical challenges that the companies face.
Worldwide Removal
Most IT companies are international and offer their services to people in most countries. This is understandable since there are no spatial constrains on the Internet. However, this creates another problem: The EU stipulates that the right to be forgotten is essential. But what about other countries that do not?
The answer is simple – search engines, such as Google, are not required to remove the offending results for users from third countries. In effect, this means that only users from the EU see the filtered results, and even that can be easily circumvented by using a proxy.
Lately, France has been pushing to force Google to ‘censor’ its results for the whole world. Again, it is the European Court of Justice that will have to reach a decision. Google is adamantly against the right to be forgotten extending beyond the EU borders. It argues that if they cave to EU demands, other countries could start asking for the same treatment – such as Thailand with its strict lese-majesty laws that ban insulting the Thai royal family.
Google is being fined daily by the European courts for not complying with the obligation that they are contesting. It is a steep hill for Google, as a Canadian court affirmed their right to impose the worldwide removal of links.
Conclusion
Individuals will like the GDPR as it ensures a clearer and more comprehensive set of rights. Still, the best way of ensuring personal data security is not to share too much of it in the first place. This data minimisation strategy should be even more prominent come GDPR, but in the advent of profiling and data aggregation for marketing purposes, the adoption of these principles will be slow and painful at best.
As evident from the Costeja case, privacy regulations can and do change, in line with the times. What has been thought of as unimaginable ten years ago, is common practice today, much to the chagrin of the tech giants.
Understandably so, as these changes are very costly to implement. As for the GDPR, companies face huge burdens at first, but the net impact should be positive since the overall administrative burden should be lowered after the initial adoption period. It is essential to start preparing right away, even if there are some uncertainties. 25 May 2018 is right around the corner. If the burden of ensuring compliance with the GDPR is too hard to bear, consultants can help you determine the most efficient and practical course of action.
