“The Right to be Forgotten” in the EU’s General Data Protection Regulation

Christine Prorok Vol. 37 Associate Editor Vol. 38 Online Content Editor

In a world where information posted to the Internet is so widely available and difficult to control, data privacy can seem out of reach. However, a right that was recently recognized in the European Union has attempted to push back on the notion that once information has been posted online, it is lost into the void. “The right to be forgotten” is the right of Europeans to request information be removed from a search engine when that information is “inadequate, irrelevant or no longer relevant, or excessive in relation to [the purposes for which it was processed or collected] and in the light of the time that has elapsed.”[1] The Court of Justice of the European Union (CJEU) established this right and emphasized the need for sensitivity for the data subject’s private life.[2] The search engine implicated in this case was Google, an American-based company. However, that did not prevent the court from ordering the removal of the link in question, because Google Spain processed the information.[3] This judicial decision left many questioning the status of freedom of expression and access to information.[4] With a new European data protection law on the horizon, the question left open was whether the European Commission would maintain “the right to be forgotten,” and if so, whether it would create concrete boundaries for this right. Now that the General Data Protection Regulation has been finalized (replacing the 1995 Data Protection Directive), lawyers will be looking to its provisions to determine the boundaries of this newly-created “right to be forgotten.” Despite hopes that the new law would lay out definite limits and specific procedures for exercising the right,[5] it remains vague and ambiguous, leaving lawyers, for better or for worse, with much room for interpretation of the Regulation. Article 17, entitled “Right to erasure (‘right to be forgotten’)” sets out the conditions under which a data subject may seek either the erasure or restriction of processing of data.[6] The Regulation also provides that “the right to be forgotten” may be exercised only against “data controllers.” A data controller is defined as an entity that “determines the purposes and means of the processing of personal data.”[7] However, it remains to be seen what entities will be defined as data controllers. The Google Spain case indicates that search engines are viewed as data controllers, but other websites including social media platforms such as Facebook and Twitter are less clear cases.[8] These websites may be more fairly seen as data hosts or processors, while the individual user is the controller, deciding what information to post and how and when to delete it. Here, the extent to which the website manages the data posted may be relevant in determining its role under the Regulation.[9] Another significant aspect of the Regulation is the apparent ease with which data subjects can object to information about them and have it removed. When a data subject has objected under the relevant provision, the Regulation places the burden on the data controller to show “compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject”[10] if it wishes to maintain the information on its domain. Such a showing may be difficult to make, and more significantly, take a significant amount of time. Additionally, a data controller stands to be fined up to 20,000,000 Euros for an infringement of the Article 17 right to be forgotten[11] (a forty-fold increase from the 500,000 Euro maximum laid out by the 2012 proposal of the law).[12] Considering such factors, a data controller may find it easier and less risky to simply remove information when it receives a request. In the light of data showing that over half of removal requests are invalid,[13] these incentives are troubling. Google has recently announced that it will broaden its interpretation of the right to be forgotten by removing search results for European users across all of its websites when a request for removal has been granted.[14] This announcement followed pressure and threats of fines from European privacy regulators.[15] The danger in such an approach is apparent: data controllers may be incentivized to simply remove information upon request, resulting in a significant restriction on the free flow of information.

[1] Case C-131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD), Mario Costeja González, 2014 ECLI:EU:C:2014:317, 19 (ordering Google to remove a notice of property foreclosure still available 16 years later). [2] Id. at 20 [3] See generally id. [4] See Charles Arthur, Explaining the ‘right to be forgotten’ – the newest cultural shibboleth, The Guardian (May 14, 2014, 1:42 PM), http://www.theguardian.com/technology/2014/may/14/explainer-right-to-be-forgotten-the-newest-cultural-shibboleth. [5] See David J. Stute, Privacy Almighty? The CJEU’s Judgment in Google Spain SL v. AEPD, 36 Mich. J. of Int’l L. 649, 680 (2015). [6] Draft Regulation XXX/2016, of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), annex, 102-05, available at http://static.ow.ly/docs/Regulation_consolidated_text_EN_47uW.pdf [hereinafter General Data Protection Regulation]. [7] Id. at 79. [8] See Daphne Keller, The Final Draft of Europe’s “Right to be Forgotten” Law, The Center for Internet and Society (Dec. 17, 2015, 12:00 PM), http://cyberlaw.stanford.edu/blog/2015/12/final-draft-europes-right-be-forgotten-law. [9] See id. [10] General Data Protection Regulation at 106. [11] Id. at 192. [12] Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 92 final (Jan. 25, 2012). [13] See Daphne Keller, The new, worse “right to be forgotten, Politico (Jan. 28, 2016, 9:03 AM), http://www.politico.eu/article/right-to-be-forgotten-google-defense-data-protection-privacy. [14] Google ‘Right to Be Forgotten’ to Be Applied More Widely, NBC News (Feb. 11, 2016, 1:11 PM), http://www.nbcnews.com/tech/tech-news/google-right-be-forgotten-will-be-applied-more-widely-n516656. [15] Id.