The right to be forgotten – Part One
Related Practice Area: Data Protection & PrivacyNegative search engine results can have undesired consequences such as loss of business or employment opportunities. This can be disproportionately unfair if the information is false, misleading or outdated.
This principle was confirmed in an important ruling on the subject delivered by the Court of Justice of the European Union (CJEU)) in Google Spain and Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González in 2014. In its ruling, the CJEU held that the right to be forgotten applies where the information that is being sought for removal is inaccurate, inadequate, irrelevant or excessive for the purposes of data processing.
The CJEU added, however, that the right to be forgotten was not to be interpreted as an absolute right, but one which needs to be applied on the basis of a sensible balance between the right to privacy and the right to information and freedom of expression. In practice, this means that there is no single formula to determine the right to be forgotten and all instances had to be decided in accordance with the aforementioned criteria.
The legal framework
The current legal basis underpinning the right to be forgotten is set out in Article 12 of Directive 95/46/EC, which requires Member States to guarantee every data subject the right to obtain from the controller:
“the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data.”
The Data Protection Act in Malta partly transposes this requirement in Article 43, which grants the authority to the Commissioner for Data Protection to order the controller to erase personal data.
The General Data Protection Regulation (GDPR), which enters into force on the 25th May 2018, will strengthen the current legal certainty on the right to be forgotten by setting out the instances upon which it can be invoked. These are:
a. Where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b. If the individual withdraws consent to processing (and if there is no other justification for processing);
c. If the individual objects and the controller cannot demonstrate that there are overriding legitimate grounds for the processing;
d. When the data is unlawfully processed.
In addition, the GDPR imposes a requirement for controllers that initially made personal data public, to inform other controllers processing the same data, that a request for its removal has been made by the data subject.
The right to be forgotten is considered as a political “hot topic” and its development was oftentimes met with opposition from online businesses, particularly due to its impact on the current debate on data ownership. While it is our view that valid arguments exist on both sides of such debate, in general terms, it appears that where retention does not serve a public purpose, data subjects enjoy a stronger degree of control in relation to their personal data.