The right to be forgotten is a relatively recent and emerging legal concept with great implications for Internet policies, freedom of expression and privacy. It grants individuals the ability to control their online identities, by giving them the right to request the de-listing of certain web addresses from search engine results, or to delete certain data that they do not want to be processed by search engines any longer.
The right to be forgotten is still very much debated at the global level, partly due to conflicts in its interpretation, as well as to practical issues for its implementation.
The right to be forgotten first derives from the right to erasure, a long-standing principle in European data protection laws. Since the 1995 EU Directive on Data Protection, individuals have been granted the right to have all the personal data related to them deleted when they leave a service/close an account. But the interpretation of the right to be forgotten has been extended in the wake of a landmark ruling by the Court of Justice of the European Union (CJEU) in 2014. In the Google Spain case, the CJEU ruled that, deriving from their right to erasure, individuals have a right to de-list. This means that they can request that the search engines delist certain links from their search index, if the results contain personal information that is ‘inadequate, irrelevant or no longer relevant, or excessive’.
This ruling has raised a number of concerns, in particular regarding its practical implementation by search engines. In 2015, Google had set up an advisory council on the right to be forgotten to develop recommendations for ‘performing the balancing act between an individual’s right to privacy and the public’s interest in access to information’. In February 2018, Google announced that it had received 2.4 million requests for delisting URLs from Google searches since 2014, illustrating the great challenges faced by the company in order to comply with the CJEU ruling.
Following the 2014 ruling of the CJEU, the right to be forgotten has been incorporated in the newly adopted EU General Data Protection Regulation (GDPR), and has increasingly been gaining ground worldwide.
From India to Brazil, and from Japan to Canada, the right to be forgotten has raised both significant interest and concern from courts, policymakers, companies and civil society, as there differing global positions regarding this emerging right remain.
Critics of the right to be forgotten argue that it could lead to the widespread removal of online content, and thus harm the freedom of expression and other human rights. For instance, though it supports the right to erasure, Access Now strongly opposes establishing a right to de-list or a right to obscurity, because ‘if misinterpreted or implemented the wrong way — particularly in the absence of a comprehensive data protection law and with inadequate transparency — it poses a significant threat to human rights’.
Proponents of the right to be forgotten, and in particular of the right to de-list, instead argue that the continuing availability of certain personal information can cause serious injustice to individuals, without any public interest in having such information available. The French data protection authority for instance, has been among the leading voices in favour of a global right to de-list.
The entry into force of the GDPR, the growing interest of lawmakers worldwide, and the challenges raised by the implementation of the right to be forgotten by Internet companies, will give significant prominence to this issue in 2018.
30 May 2018 – Swedish DPA appeals after Google partly won a case on the right to be forgotten
Recently, the Swedish data protection authority supported the idea of an extraterritorial application of the right to be forgotten, under certain conditions. This decision was contested by Google in courts, which eventually ruled in favor of the company. According to Telecompaper, the Swedish data protection authority is now bringing this case to the court of appeal.
13 Apr 2018 – Landmark 'right to be forgotten' case in the UK
The High Court in London ordered Google to remove links related to the criminal conviction of a businessman given more than a decade ago. The ruling stated that this conviction was now ‘out of date, irrelevant and of no legitimate interest to users of Google Search’ and that the convicted had ‘expressed genuine remorse’. According to the Financial Times, this ruling marked the first time English courts have considered the ‘right to be forgotten’. For the Guardian, this decision is likely to have ‘implications for other convicted criminals and those who want embarrassing stories about them erased from the web’.
27 Feb 2018 – Google received 2.4 million ‘right to be forgotten’ requests since 2014
Google has published the detailed figures of the requests the company has received to de-list links from its search results, in order to comply with the right to be forgotten. Google indicated that it has complied with around 43%of the 2.4 million requests that they received. Google complemented its announcement by publishing a research paper entitled Three years of the Right to be Forgotten. This paper highlights that 89% of the requests came from private individuals, and that crime-related removal requests represented 8% of all requests. The paper also indicated that half of the requests originated from Germany, France and the UK.
19 July 2017 - French court refers the right to be forgotten case to the Court of Justice of the European Union
The case that the French highest administrative court referred to the ECJ opposes Google and the French data protection authority (CNIL). In March 2016, the CNIL had fined Google for delisting nationally, and not globally, certain links from its search results. Google appealed the decision before the French supreme administrative court, which then brought the case to the EU level. According to Reuters, this dispute highlights significant challenges and diverging interpretations in the extraterritorial implications of the right to be forgotten.
Privacy and data protection are two interrelated Internet governance issues. Data protection is a legal mechanism that ensures privacy. Privacy is usually defined as the right of any citizen to control their own personal information and to decide about it (to disclose information or not). Privacy is a fundamental human right. It is recognised in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights conventions. Read more about Privacy and data protection
Consumer trust is one of the main preconditions for the success of e-commerce. E-commerce is still relatively new and consumers are not as confident with it as with real-world shopping. Consumer protection is an important legal method for developing trust in e-commerce. E-commerce regulation should protect customers in a number of areas, such as online handling of payment card information; misleading advertising; delivery of defective products. Read more about Consumer protection
The human rights basket includes online aspects of freedom of expression, privacy and data protection, rights of people with disabilities and women’s rights online. Yet, other human rights come into place in the realm of digital policy, such as children’s rights, and rights afforded to journalists and the press. The same rights that people have offline must also be protected online is the underlying principle for human rights on the Internet, and has been firmly established by the UN General Assembly and UN Human Rights Council resolutions. Read more about Other human rights