The right to be forgotten is a relatively recent and emerging legal concept with great implications for Internet policies, freedom of expression and privacy. It grants individuals the ability to control their online identities, by giving them the right to request the de-listing of certain web addresses from search engine results, or to delete certain data that they do not want to be processed by search engines any longer.
Interpretation and implementation of the right to be forgotten
The right to be forgotten is still very much debated at the global level, partly due to conflicts in its interpretation, as well as to practical issues for its implementation.
The right to be forgotten first derives from the right to erasure, a long-standing principle in European data protection laws. Since the 1995 EU Directive on Data Protection, individuals have been granted the right to have all the personal data related to them deleted when they leave a service/close an account. But the interpretation of the right to be forgotten has been extended in the wake of a landmark ruling by the Court of Justice of the European Union (CJEU) in 2014. In the Google Spain case, the CJEU ruled that, deriving from their right to erasure, individuals have a right to de-list. This means that they can request that the search engines delist certain links from their search index, if the results contain personal information that is ‘inadequate, irrelevant or no longer relevant, or excessive’.
This ruling has raised a number of concerns, in particular regarding its practical implementation by search engines. In 2015, Google had set up an advisory council on the right to be forgotten to develop recommendations for ‘performing the balancing act between an individual’s right to privacy and the public’s interest in access to information’. In February 2018, Google announced that it had received 2.4 million requests for delisting URLs from Google searches since 2014, illustrating the great challenges faced by the company in order to comply with the CJEU ruling.
The right to be forgotten at the global level
Following the 2014 ruling of the CJEU, the right to be forgotten has been incorporated in the newly adopted EU General Data Protection Regulation (GDPR), and has increasingly been gaining ground worldwide.
From India to Brazil, and from Japan to Canada, the right to be forgotten has raised both significant interest and concern from courts, policymakers, companies and civil society, as there differing global positions regarding this emerging right remain.
Critics of the right to be forgotten argue that it could lead to the widespread removal of online content, and thus harm the freedom of expression and other human rights. For instance, though it supports the right to erasure, Access Now strongly opposes establishing a right to de-list or a right to obscurity, because ‘if misinterpreted or implemented the wrong way — particularly in the absence of a comprehensive data protection law and with inadequate transparency — it poses a significant threat to human rights’.
Proponents of the right to be forgotten, and in particular of the right to de-list, instead argue that the continuing availability of certain personal information can cause serious injustice to individuals, without any public interest in having such information available. The French data protection authority for instance, has been among the leading voices in favour of a global right to de-list.
The entry into force of the GDPR, the growing interest of lawmakers worldwide, and the challenges raised by the implementation of the right to be forgotten by Internet companies, will give significant prominence to this issue in 2018.
Implementation of the right to be forgotten: A timeline
On 1 January 2015, California's Online Erasure law entered into force. The law has been coined as the right to be forgotten 'Lite'. Though its actual effects are subject to debates, this law intends to codify the right to a delete button for minors.
On 12 February 2016, Google extended the ‘right to be forgotten’ rule to its global sites accessed within Europe. The company will implement the rule based on the filtering of European IP addresses, in that users in the EU will be unable to see the omitted search results.
On 29 April 2016, the Korea Communications Commission (KCC) issued the Guidelines on the Right to Request Access Restrictions on Personal Internet Postings to implement the right to be forgotten.
On 2 February 2017, the Supreme Court of Japan dismissed the appeal brought by a Japanese man against Google Japan, who was seeking the removal of online search results which referenced his arrest for child prostitution more than 5 years ago.
On 2 February 2017, the Karnataka High Court ruled in favor of the petitioner, who had concerns about the appearance of his daughter's name in the cause title of criminal proceedings documents accessible online.
On 4 March 2017, the Spanish Data Protection Authority said that search engines should not inform the publisher when delisting links, and fined Google for such a communication, holding that it violates the duty of secrecy set forth in the Data Protection Act.
On 9 March 2017, the Court of Justice of the European Union ruled that the right to be forgotten does not extend to company registers. The case involved the director of an Italian company whose properties failed to sell, presumably due to the companies register showing that he was the administrator of another company that went bankrupt. The court ruled that company registers needed to be public to ensure legal certainty.
On 15 March 2017, two New York policymakers introduced a draft bill to remove information that is 'inaccurate', 'irrelevant', 'inadequate', or 'excessive', that is 'no longer material to current public debate or discourse'.
On 19 June 2017, the Higher Regional Court of Munich issued an injunction requesting Google to stop its current process for RTBF when it complies with a request. While Google links to the original page for transparency, the court states the approach allows users to access the removed pages through an extra click.
On 25 July 2017, France referred the CNIL (the French data protection authority) vs Google (Alphabet) case to the Court of the Justice of the EU (CJEU) saying 'With today's decision, the Council of State believes that the scope of the right to be delisted poses several serious difficulties of the interpretation of European Union law.' In March 2016, the CNIL had fined Google for delisting nationally, and not globally, certain links from its search results. Google appealed the decision before the French supreme administrative court, which then brought the case to the EU level.
On 9 February 2018, the Supreme Court of Canada overturned a court order that would have forced the Canadian Broadcasting Corporation (CBC) to remove articles which pre‑existed the publication ban and which identified the victim by name and photograph on its website. Law enforcement authorities had requested that CBC take down posts identifying the alleged victim of a murder that were published before the ban was issued. CBC had refused on the grounds that these posts were legal at the time they were posted.
On 12 April 2018, in California, assemblymember Mark Levine introduced a legislative text mirroring provisions of the EU's General Data Protection Regulation (GDPR), including a form of right to be forgotten.
On 13 April 2018, in a landmark case, a UK High Court ordered Google to de-list from its Google search results articles about years-old crimes. The case was brought to court by two businessmen who had previously asked Google to remove articles about crimes they had committed, arguing that the articles were a breach of their right to privacy, old, and of no public interest. According to the Financial Times, this ruling marked the first time English courts have considered the ‘right to be forgotten’. For the Guardian, this decision is likely to have ‘implications for other convicted criminals and those who want embarrassing stories about them erased from the web’.
On 30 May 2018, the Swedish data protection authority said it supported the idea of an extraterritorial application of the right to be forgotten, under certain conditions. This decision was contested by Google in courts, which eventually ruled in favor of the company. The Swedish data protection authority is now bringing this case to the court of appeal.
On 31 May 2018, in a case involving a prosecutor from Rio de Janeiro who was being investigated but later found innocent, the Brazilian Superior Court of Justice allowed the de-indexation of search results from Google, Yahoo, and Microsoft in a landmark ruling.
27 Feb 2018 – Google received 2.4 million ‘right to be forgotten’ requests since 2014
Google has published the detailed figures of the requests the company has received to de-list links from its search results, in order to comply with the right to be forgotten. Google indicated that it has complied with around 43%of the 2.4 million requests that they received. Google complemented its announcement by publishing a research paper entitled Three years of the Right to be Forgotten. This paper highlights that 89% of the requests came from private individuals, and that crime-related removal requests represented 8% of all requests. The paper also indicated that half of the requests originated from Germany, France and the UK.
Privacy and data protection
Privacy and data protection are two interrelated Internet governance issues. Data protection is a legal mechanism that ensures privacy. Privacy is usually defined as the right of any citizen to control their own personal information and to decide about it (to disclose information or not). Privacy is a fundamental human right. It is recognised in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights conventions. Read more about Privacy and data protection
Consumer trust is one of the main preconditions for the success of e-commerce. E-commerce is still relatively new and consumers are not as confident with it as with real-world shopping. Consumer protection is an important legal method for developing trust in e-commerce. E-commerce regulation should protect customers in a number of areas, such as online handling of payment card information; misleading advertising; delivery of defective products. Read more about Consumer protection
Other human rights
The human rights basket includes online aspects of freedom of expression, privacy and data protection, rights of people with disabilities and women’s rights online. Yet, other human rights come into place in the realm of digital policy, such as children’s rights, and rights afforded to journalists and the press. The same rights that people have offline must also be protected online is the underlying principle for human rights on the Internet, and has been firmly established by the UN General Assembly and UN Human Rights Council resolutions. Read more about Other human rights