What is the right to be forgotten and how is it implemented in today’s digital environment?

The right to have your personal data erased, the so-called right to be forgotten, granted by the European acquis, is tested on the basis of the interest involved. This operation must be carried out on a case-by-case basis, taking into account the contextual elements and the specifics interests of the subject involved.

 

Table of contents

1. Introduction

2. The right to be forgotten in European case law

3. Identity management tools for managing the right to be forgotten

4. Conclusions

 

1. Introduction

Internet never forgets. In our digital age it is impossible to forget. The web has the ability to "bring to the surface", through the insertion of even a single word, data and facts referring to events that occurred many years ago or published in newspapers that have, to date, digitized their archives. Basically, there can be no perfect forgetting on the web. Can data be deleted from the web once entered? What is the right to be forgotten and how is it implemented in the digital environment of the 21st century?

The legislation is a good starting point in order to answer to the previous questions. The General Data Protection Regulation 2016/679 ("GDPR"), in Article 17, establishes that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay. Therefore, data controllers are obliged (if they have "made public" the personal data of the data subject: for example, by publishing them on a website) to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers, including "any link, copy or reproduction" (see Art 17(2) of the GDPR). This right has a broader scope than the one already provided by the Privacy Code in art. 7, paragraph 3, letter b), since the data subject has the right to request the deletion of his or her data, for example, even after revocation of consent to processing (see art. 17, paragraph 1 of the GDPR).

In this context, it is clear that search engines are of fundamental importance as information intermediaries. They are true meta-instruments of digital knowledge. Indeed, once a word is entered into the search field of a search engine, all relevant information appears on the screen in a methodical order. The amount of information thus collected and stored by search engines is mind-boggling (and can be dangerous), and for this reason, European and domestic legislators brought order to the chaos. As a matter of fact, in the deep sea of knowledge of the web it is likely that some facts injurious to the dignity of a subject come out after a long time and it is their right to ask for their erasure. In this situation the balance of interests with the freedom of expression and the right to information comes into play.

2. The right to be forgotten in European case law

In recent years, the question of how search engines should balance privacy rights with freedom of information has aroused the interest of jurists and judges and the rulings of the European Court of Justice, the European Court of Human Rights as well as the important judgements of national Constitutional Courts.

In 2014, the European Court of Justice (ECJ) in the Google Spain case ruled that European citizens had the right to require search engines, such as Google and Bing, to remove "inaccurate, inadequate, irrelevant or excessive" results linked to their name. In this case, the ECJ upheld a judgment of the Spanish court that had ordered Google to remove the links to newspaper articles about the Spanish citizen Costeja Gonzalez. In particular, those links related to some bankruptcy proceedings concerning debts of various kinds dating back to the late 1990s. Google complied by partially removing the search results on its domains.

Following the initial recognition of the right to de-indexing (the so-called delisting), with the Google Spain decision- which invested search engines with a para- constitutional role in the delicate balance between the right to data protection and the public's right to obtain information in relation to events of general importance (a role which had never been imposed on service providers, who - on the contrary - benefit from a general exemption from liability under EC Directive 2000/31, the so-called e-commerce directive), the ECJ , once again asked whether the right to be forgotten could also extend beyond the continental borders, answered in the negative.

Indeed, with the recent judgment in Case C-507/17 (24 September 2019) between Google and the Commission nationale de l'informatique et des libertés (CNIL), the ECJ judges have effectively denied to the individual the right to erasure, already granted by the CNIL in respect to the data present online and negative for the reputation of a French entrepreneur. This was done on the basis of the circumstance that many states outside the European Union do not recognize the right to delisting, thus considering that "the right to the protection of personal data is not an absolute prerogative but must be considered in the light of its social function and must be balanced with other fundamental rights, in accordance with the principle of proportionality".

Most recently, the European Court of Human Rights (ECtHR) decided in 2018 in the Apollonia case that Germany had rightly denied two individuals their right to be forgotten in connection with press archives relating to a 1991 murder. The EDU Court upheld the German Supreme Court's decision as it found that the German Supreme Court had correctly applied the balancing test regarding the right to be forgotten. In this case, the ECHR relied mainly on Article 8 of the European Convention on Human Rights, which was applied in relation to the balancing of the two rights under Article 10 of the same Convention.

In the light of this, it is clear that the search engine operator has a difficult task to ensure that an individual's personal data is lawfully processed for specified, explicit and legitimate purposes, that it is adequate, relevant and not excessive in relation to those purposes, that it is accurate, updated and that it is kept for a period of time not exceeding that necessary to achieve those purposes.

This is the background to the judgment of the Court of Luxembourg (Manni case), which revealed the relationship between data retention and deletion times. Indeed, such an operation must be guided by a careful "case-by-case assessment" that takes into account the contextual elements and the specific interests of third parties potentially involved.

3. Identity management tools for managing the right to be forgotten

In light of this, legal tech and AI tools would be useful devices for determining the truthfulness and accuracy of personal data. Search engines, such as Google, have adopted a number of solutions to handle user requests for the removal of untrue or inaccurate information. Remarkably, the Google Advisory Council - appointed specifically to define the operational aspects of exercising the right to be forgotten - has agreed that false and inaccurate information contributes to shifting the needle of the scales towards strengthening the privacy of the subject rather than towards the widespread public interest in knowledge. In this context, the burden of proof to demonstrate the inaccuracy of the data for which delisting is requested, falls on the subject concerned.

As a matter of fact, the large number of requests that need to be followed up quickly increases the likelihood of human error and exposes the interested parties and third-party stakeholders to prejudicial situations. For this reason, to support this process, the same tools that define privacy could be useful precisely to its same strengthening, allowing each user to customize the protection of their identity by preventing injury to the right to privacy and at the same time help owners and managers to keep updated and accurate personal data of stakeholders. All of the above processed only by an algorithm! Already, identity management tools allow users to view and modify the personal data that the owner processes.

The problem lingers in the handling of delisting requests. If search engines were to fully automate the process (as several operators have already done) would the algorithm be able to guarantee the effective implementation of the right to be forgotten? In the writer's opinion, in order to continue to manage a huge amount of personal data while guaranteeing the protection of the right to be forgotten in the digital environment while respecting all the other rights and interests involved, a strong human component will remain necessary in the balancing test, as also affirmed by the European Court. Such a balancing test is probably not transposable into an algorithm.

4. Conclusions

Presumably, the solution is just around the corner. Undoubtedly, with the advent of blockchain and increasingly transparent decentralized systems, it could be easier for search engines to guarantee a more effective and immediate protection of users' rights, activating that still distant principle of "accountability" of the data controller envisaged by the GDPR. In this regard, it is good to highlight some issues when blockchain and the right to be forgotten sit at the same table.

Indeed, how can the right to be forgotten be combined with the unchangeable nature of a blockchain? One of the solutions could be the possibility of entering data into a blockchain only as an external link, thus leaving the data out of the chain. However, by doing so, the data could no longer be used securely and would be subject to potentially indiscriminate modification. Another solution could be anonymization, which, however, in turn presents several issues. In a blockchain, everything is encrypted, therefore, the data should be protected. But encryption, though secure, is not infallible and can be hacked.

Probably, in the not-so-distant future we will be able to solve many of the open questions between the introduction of a blockchain-based system and the implementation of GDPR regulations.

In the meantime, let's begin to think about the important issues that have emerged around the right to be forgotten and its balancing against competing fundamental rights.