The Right to Be Forgotten (RTBF) under Article 17 of the General Data Protection Regulation (GDPR) is a legal right that allows individuals to request the deletion of their personal data by data controllers (organizations that collect and manage personal data). It is also known as the right to erasure. Article 17 aims to empower individuals by giving them control over their personal information, particularly in the context of the digital world where data can be easily accessible and long-lasting.
Key Elements of Article 17 (Right to Erasure):
1. Right to Request Erasure: Individuals can request the deletion of their personal data from a data controller if one of the following conditions applies:
– No Longer Necessary: The personal data is no longer necessary for the purpose for which it was originally collected or processed.
– Withdrawal of Consent: The individual withdraws their consent, and there is no other legal ground for processing the data.
– Objection to Processing: The individual objects to the processing of their personal data, and there are no overriding legitimate grounds for continuing the processing.
– Unlawful Processing: The personal data was processed unlawfully.
– Legal Obligation: The personal data must be erased to comply with a legal obligation under EU or member state law.
– Data of Children: The personal data was collected in relation to the offering of information society services (e.g., online services) to children.
2. Obligations of the Data Controller: If an individual makes a valid request under Article 17, the data controller must:
– Erase the Data: Without undue delay, typically within one month, unless an extension of up to two additional months is needed due to the complexity of the request.
– Notify Third Parties: If the personal data has been shared with other parties, the data controller must take reasonable steps to inform them of the individual’s request for erasure.
3. Exceptions to the Right to Erasure: The right to be forgotten is not absolute, and there are specific cases where the request for erasure may be denied:
– Freedom of Expression and Information: When the processing of the data is necessary for exercising the right of freedom of expression and information (e.g., journalistic purposes).
– Compliance with Legal Obligations: If the data is required to comply with a legal obligation or for performing a task carried out in the public interest (e.g., tax records).
– Public Health: When the data is needed for reasons of public health or in the public interest.
– Archiving and Research: When the data is processed for archival purposes in the public interest, scientific or historical research, or for statistical purposes.
– Legal Claims: If the data is necessary for the establishment, exercise, or defense of legal claims.
Application in Practice:
The right to be forgotten is often exercised in the context of online platforms, where individuals may request search engines (e.g., Google, Bing) or social media platforms to delete links to outdated or irrelevant information. While this right provides strong privacy protections, it requires a careful balance with the public’s right to access information, especially in cases involving public figures, journalism, or historical records.
Territorial Scope:
The right to erasure applies within the European Union (EU), but as defined by various court rulings (e.g., Google v. CNIL), it does not necessarily extend to global search results or outside of the EU jurisdiction. However, search engines are expected to apply the removal to EU-based versions of their platforms.
What are relevant court cases?
In fact, several court cases have ruled on the Right to Be Forgotten, under GDPR and similar privacy laws, shaping how this right is applied. Below are some of the most influential cases:
1. Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD), Mario Costeja González (2014)
– Court: European Court of Justice (ECJ)
– Overview: This was the first major case establishing the Right to Be Forgotten. Mario Costeja González, a Spanish citizen, requested Google to remove search results linking to an old newspaper article about his financial troubles which he argued were no longer relevant.
– Ruling: The ECJ ruled that search engines like Google are “data controllers” and must consider requests to remove links to personal information that is no longer relevant. This ruling established the individual’s right to request the removal of outdated or irrelevant data, even if it was lawfully published originally.
– Impact: This case laid the foundation for RTBF in Europe and led to search engines setting up procedures for handling removal requests.
2. GC and Others v. CNIL (2019)
– Court: European Court of Justice (ECJ)
– Overview: The French data protection authority (CNIL) ordered Google to remove certain search results not just from European domains (e.g., google.fr) but globally which Google contested.
– Ruling: The ECJ ruled that while the Right to Be Forgotten applies within the European Union, it does not extend globally. Therefore, Google and other search engines must de-index search results from EU domains but not from non-EU domains.
– Impact: This clarified the territorial scope of the RTBF, reinforcing that the right is enforceable only within the EU, limiting its global reach.
3. NT1 & NT2 v. Google, LLC (2018)
– Court: High Court of Justice of England and Wales
– Overview: Two businessmen, anonymized as NT1 and NT2, sought to have Google de-list links to news stories about their past criminal convictions. NT1’s conviction was related to a business that collapsed, while NT2 had been convicted for a more serious offense.
– Ruling: The court ruled in favor of NT2, ordering Google to remove search results related to his conviction, considering it to be of less public interest and having a serious impact on his private life. However, the court ruled against NT1, finding that the information remained in the public interest due to the severity and nature of the crime.
– Impact: This case illustrated how courts balance privacy with public interest when applying the RTBF particularly in relation to criminal records.
4. CNIL v. Google (2020)
– Court: Conseil d’État (France) & European Court of Justice
– Overview: The French Data Protection Authority (CNIL) ordered Google to globally apply RTBF requests, which led to a conflict over whether the right should extend to non-EU domains.
– Ruling: The ECJ ruled that Google was not required to apply RTBF globally but must ensure that delisting applies across all EU versions of its search engine. The ruling established that RTBF applies within the EU but not globally, reinforcing the principle from the 2019 GC v. CNIL case.
– Impact: This decision further solidified the territorial limitations of the RTBF, allowing local application without infringing on global freedom of information.
5. Duda v. Poland (2019)
– Court: European Court of Human Rights (ECHR)
– Overview: A Polish individual sought to have his criminal conviction erased from public records and digital spaces after it had been expunged. The request was initially denied, leading to a challenge based on privacy rights.
– Ruling: The ECHR ruled that the right to privacy, as established by the European Convention on Human Rights, allowed individuals to seek the deletion of personal data, even in cases where the data related to past criminal convictions.
– Impact: This case extended the application of privacy rights under RTBF, especially concerning expunged criminal records, giving weight to individuals’ rights to control personal information after serving their sentence.
6. Google, LLC v. Equustek Solutions, Inc. (2017)
– Court: Supreme Court of Canada
– Overview: Although not directly related to the EU GDPR, this case is often discussed in the RTBF context. In this matter, the Canadian courts ordered Google to de-index search results for a company selling counterfeit goods globally, not just in Canada.
– Ruling: The Supreme Court of Canada upheld a lower court ruling, affirming that Google must remove certain search results globally.
– Impact: While this case doesn’t involve the GDPR, it raises significant questions about the global enforcement of de-listing orders, influencing how courts outside the EU might approach RTBF.
Conclusion
Article 17 of the GDPR provides individuals with a powerful mechanism to request the removal of personal data under certain conditions, balancing privacy rights with the public’s interest in accessing information. The court rulings have significantly shaped how the Right to Be Forgotten is understood and enforced, especially regarding the balance between privacy rights and freedom of information, as well as the geographical scope of the RTBF. Please contact our law firm to speak with an international internet lawyer at your convenience.