Gonzalez’s case is a familiar one. Back in the late 90s, he had gone bankrupt and had to auction off one of his properties. This was picked up by a newspaper which then published the story online. By 2014, Gonzalez no longer had financial problems, but if you looked him up on Google, the newspaper article covering the property auction was the first result.
He argued that this affected his reputation, and was no longer relevant as it had happened 16 years previously. Since he had done nothing illegal, he wanted the article gone and the EU ruled in his favor — setting an important precedent for individual privacy laws (ironically, Gonzalez, who was only trying to get rid of a small article, is now the subject of countless news stories on Google).
The right to be forgotten (also known as the right to erasure) is defined in Article 17 of the GDPR as: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”
To break down the jargon, what Article 17 means is that if you meet one of several circumstances, you can push Google (and other search engines) to remove specific search results. If you’re in the EU, at some point you’ve probably seen the phrase “Some results may have been removed under data protection law in Europe” pop up on Google.
What qualifies someone to be given the right to be forgotten?
There are several conditions which apply to the right to be forgotten. A person only has to meet one of the following conditions in order to apply to be forgotten:
- The personal data is no longer necessary for the purpose of the organization who originally collected it
- An organization relies on a person’s consent to process their data and that person withdraws their consent
- An organization processed a person’s data unlawfully
- An organization processed a child’s personal data
- An organization is using a person’s data for direct marketing and that person objects to this use
- An organization relies on legitimate interests as its justification for processing a person’s data, the person objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing
However, there are also a number of conditions which trump the right to be forgotten:
- The data is being used for a legal defence or to establish other legal claims
- The processed data is necessary for public health purposes and serves public interest
- The data is necessary to perform occupational or preventative medicine (this applies only if health professionals are processing the data)
- The data is being used to comply with a legal ruling or obligation
- The data is being used to exercise the right of freedom of expression and information
- The data represents important information that serves the public interest (including scientific research, historical research, or statistical purposes) and the erasure of this data would likely halt or impair the progress that was the original goal of the processing
- The data is used to perform a task that is being carried out in the public interest
The right to be forgotten — for businesses
The right to be forgotten has important implications for businesses. For the first time, GDPR codified international privacy laws specifically targeting online behaviour. As a result customer data now needs to be treated accordingly.
Specifically, businesses have an obligation to erase data which is no longer needed for their original purpose. Unless the data needs to be saved for AML and KYC purposes, or the customer specifically opts in to the data being stored, sensitive information should be deleted.
Additionally, businesses need to give customers the option of withdrawing consent for their information to be stored. Unless there are overriding legitimate reasons for storing the data, businesses are obliged to erase the information or face severe legal consequences.
The right to be forgotten — controversies
When it was first introduced in 2014, the right to be forgotten caused a lot of controversy. Many were worried that information that was of public interest was going to be removed from public record. This is why GDPR represented a crucial change in the legislative landscape, which aims to both grant individuals their privacy while also preventing censorship.
However, problems still exist with the right to be forgotten. With regards to search engine listings, you have to appeal directly to the search engines. In some situations, these cases are taken to a court of law due to their complex nature. Earlier this year a Dutch surgeon won a landmark case to remove Google results regarding a medical negligence case. In 2018, a UK businessman lost an appeal to remove results about his criminal conviction. At the moment, it all seems to be on a case by case basis. While Article 17 aims to be clear, there is still enough grey area where further action is needed.
There are additional concerns, especially in regards to cases involving children. If a child goes missing, quite often a public appeal is issued. Sometimes, the child is thankfully returned safely. However, if they ever google their name, there is a good chance that their disappearance is going to be amongst the top results. Missing Children Europe has outlined in their report “Once missing — never forgotten?” the problems with having this type of digital footprint. They argue that children (who then become adults) have to live with the consequences of their image and potentially traumatic story remaining in the public domain and outside of their control.
Then of course, there is the obvious problem of the right to be forgotten impacting free speech. Several NGOs have argued that if this law continues, more authoritarian countries (such as Russia and Saudi Arabia) will follow suit with even more restrictive laws, essentially spreading propaganda and limiting personal freedoms. The concerns about global censorship are valid, but obviously the situation is complicated.
Clearly the kinks are still being sorted out regarding the right to be forgotten, and the decisions made in courts of law are going to have a lasting impact on the future. It’s fairly easy to understand why someone might want their data removed, and it’s also easy to understand why it should stay on the public record. It will certainly be interesting to see how these laws develop over the next years.