Ketevan Kukava, PhD Student
in Law, Tbilisi State University
In the internet
age, when vast amount of information can be stored indefinitely and can be
easily retrieved by means of a mouse click, controlling one’s personal data
seems a particularly difficult task to do. Complete erasure of data from
digital memory once it becomes publicly available is questionable from
technological and practical point of view. As a result, the burden of
remembering past events and behavior after they have lost their relevance and
permanent digital accessibility of information can have significant
implications for individuals at the present time.
While the
internet and digitization has brought about huge benefits in terms of access to
wide range of information, content-creation and public dissemination, its major
downside is losing control on one’s personal data and the difficulties related
to forgetting. In his book “Delete: The
Virtue of Forgetting in the Digital Age” Viktor Mayer-Schoenberger points out:
“Since the
beginning of time, for us humans, forgetting has been the norm and remembering
the exception. Because of digital technology and global networks, however, this
balance has shifted. Today, with the help of widespread technology, forgetting
has become the exception, and remembering the default“.
The debate over achieving
a balance between privacy and freedom of expression has reached its highest
level in the internet age. Some argue that removing lawfully published
information from search results might pose the risk of Orwell’s dystopian
history-rewriting. However, on the other hand, individual’s interest in
controlling their personal data, leaving the past behind, and removing the past
burden should not be underestimated.
The General
Data Protection Regulation (GDPR), which will become applicable on 25 May
2018, tries to answer the challenges emerged as a result of technological
advancements in the digital age. Apart from ensuring uniform rules regarding
personal data protection throughout the European Union (as the directive
95/46/EC by its nature left certain leeway to the states in terms of its
implementation), the GDPR provides some additional guarantees, such as a
clearer formulation of the right to erasure (right to be forgotten) which is probably
one of the most controversial and hotly debated issues within the scope of the
GDPR. Right to erasure (right to be forgotten) guarantees deletion of data when
an individual no longer wants their data processed and there is no legitimate
reason to keep it.
Although Directive
95/46/EC does not explicitly guarantee “the right to be forgotten”, in the widely
known Google
Spain judgment the Court interpreted legal provisions of the Directive
in such way which made it possible to satisfy the data subject’s complaint. In
particular, the Court relied on data subject’s right of access to data (the
rectification, erasure or blocking of data the processing of which does not
comply with the provisions of this Directive) as well as data subject’s right
to object, which obliged the operator of a search engine to remove from the
list of results displayed following a search made on the basis of a person’s
name links to web pages, published by third parties and containing information
relating to that person.
Right to erasure
(“right to be forgotten”) guaranteed by Article 17 of the GDPR empowers the
data subject “to obtain from the controller the erasure of personal data
concerning him or her without undue delay”, and obliges the controller “to
erase personal data without undue delay”. This provision is applicable when
certain grounds determined by the Regulation exist, including when the data
subject withdraws consent on which the processing is based, and where there is
no other legal ground for the processing.
One of the basis
for erasing personal data is the data subject’s objection to the processing
when there are no overriding legitimate grounds for the processing (Article
17(1)(c)). Notably, in such case the obligation of demonstrating compelling
legitimate grounds is imposed upon the controller. While according to the Data
Protection Directive, the data subject had to demonstrate “compelling legitimate
grounds relating to his particular situation” and processing should no longer
involve those data in case of a justified objection (Article 14(a)), according
to the GDPR, “the controller shall no longer process the personal data unless
the controller demonstrates compelling legitimate grounds for the processing
which override the interests, rights and freedoms of the data subject or for
the establishment, exercise or defence of legal claims” (Article 21(1)).
Article 17 of
the GDPR imposes obligations upon the controller which according to the
definition provided in Article 4 “alone or jointly with others, determines the
purposes and means of the processing of personal data.” Further, apart from
erasing personal data, additional duties are foreseen by the Regulation when the
controller has made the personal data public: “The controller, taking account
of available technology and the cost of implementation, shall take reasonable
steps, including technical measures, to inform controllers which are processing
the personal data that the data subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal data”
(Article 17(2)). Notably, the GDPR foresees certain exceptions from the above
mentioned provisions, including when processing is necessary for exercising the
freedom of expression and information, for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes,
etc. (Article 17(3)).
Despite the
significance of the efforts aimed at ensuring the data subject’s control over
their own personal data, the very nature of the internet and constantly
developing technologies might still pose certain legal and practical challenges
in achieving the aims of being forgotten. In Google Spain the Court itself stressed “the ease with which
information published on a website can be replicated on other sites and the
fact that the persons responsible for its publication are not always subject to
European Union legislation” (paragraph 84). Indeed, once information is made
publicly available, tracking personal data, controlling their further
replication and their subsequent total erasure might seem practically
impossible. Moreover, Google Spain is
also a good illustration of the so-called “Streisand effect”, as the Spanish
citizen who wanted to be forgotten ended up in publicizing his personal information
more widely.
Probably, the
practical difficulty of total erasure is the major rationale behind the focus
of the GDPR on taking reasonable steps and obliging the controller to
communicate erasure of personal data “to each recipient to whom the personal
data have been disclosed, unless this proves impossible or involves
disproportionate effort” (Article 19).
One of the
important issues related to the enforcement of the right to be forgotten is the
territorial scope of the Regulation and its applicability to companies
incorporated outside the EU. Similar to the Data Protection Directive, the GDPR
applies to the processing of personal data in the context of the activities of
an establishment of a controller in the Union. Furthermore, the Regulation
explicitly stresses that this rule is applicable “regardless of whether the
processing takes place in the Union or not” (Article 3(1)). According to Recital 22, establishment implies
the effective and real exercise of activity through stable arrangements. The
legal form of such arrangements, whether through a branch or a subsidiary with
a legal personality, is not the determining factor in that respect.
Additionally, the
GDPR determines that the processing of personal data of data subjects who are
in the Union by a controller or a processor not established in the Union are
subject to the GDPR where the processing activities are related to:
(a) the offering
of goods or services, irrespective of whether a payment of the data subject is
required, to such data subjects in the Union; or
(b) the
monitoring of their behaviour as far as their behaviour takes place within the
Union (Article 3(2)).
Therefore,
companies based outside the EU are not released from data protection
obligations imposed by the GDPR when offering goods or services, or monitoring
behavior of data subjects within the EU, which ensures significant extraterritorial
reach of the GDPR.
Broad
territorial scope of the GDPR together with high administrative fines in case
of infringements of the Regulation (Article 83) is viewed as a strict regime by
privacy sceptics and has given rise to a debate. However, on the other hand, there
is no doubt that the legal framework should be adjusted in order to answer
modern-day privacy challenges. In parallel with technological developments, privacy
concerns increase which necessitates the emergence of appropriate safeguards
and legal regulation.
Proportionality
remains the significant principle which is explicitly guaranteed by the GDPR.
In particular, Recital 4 declares that “the right to the protection of personal
data is not an absolute right; it must be considered in relation to its
function in society and be balanced against other fundamental rights, in
accordance with the principle of proportionality.” Furthermore, Article 85 of
the GDPR refers to exemptions and derogations for processing carried out “for
journalistic purposes and the purposes of academic, artistic or literary
expression” if they are necessary to reconcile the right to the protection of
personal data with the freedom of expression and information.
When enforcing the
right to be forgotten in the online world, important questions arise whether
the information should be removed globally. Google
Spain judgment and its legal implications are of particular significance in
this regard. In response to the requests submitted regarding removing certain
URLs, Google
started to delist links from all European versions of Google Search (like
google.de, google.fr, google.co.uk, etc) simultaneously. Moreover, Google also
started to use geolocation signals (like IP addresses) to restrict access to
the delisted URL on all Google Search domains, including google.com, when
accessed from the country of the person requesting the removal. However, the
French data protection authority required Google to apply the right to be
forgotten to all searches on all Google domains. Following the reference by
French court, the Court of Justice has to decide on the question
whether the ‘right to de-referencing’ be “interpreted as meaning that a search
engine operator is required, when granting a request for de-referencing, to
deploy the de-referencing to all of the domain names used by its search engine
so that the links at issue no longer appear, irrespective of the place from
where the search initiated on the basis of the requester’s name is conducted”. It
should be noted that the global removal of information might produce negative
consequences worldwide. As stressed
by Google, “how long will it be until other countries - perhaps less open and
democratic - start demanding that their laws regulating information likewise
have global reach?”
Guaranteeing the
right to erasure under the GDPR cannot be considered as a silver bullet answer
to the risks and challenges of the internet age, however, the value of the overall
aim of the regulation – increased control of individuals of their personal data
- should not be underestimated. Can we have a realistic expectation of privacy
online and how much valuable information might be lost in translating legal
requirements into practice? – Probably these questions gain more and more
relevance, and necessitate taking due account of the very nature and the
challenges of the internet age.
Photo credit: PR
Week
No comments:
Post a Comment