How did the “Right to be Forgotten” come into existence?
There have been over 18,000 requests by Britons to remove over 60,000 web links from Google since the ‘right to be forgotten’ was introduced in May this year and approximately 35% of these links have already been removed.
The ruling made by the European Court of Justice was the result of a complaint made in 2010 by a Spanish citizen, Mario Costeja González, to Agencia Española de Protección de Datos (Spanish Data Protection Agency, the AEPD) against the Spanish newspaper, La Vanguardia Ediciones SL, which included the details of the repossession of his home. The notice also appeared on Google search results for his name, therefore he requested that Google Spain or Google Inc. remove the personal data which related to him.
This case opened up the discussion for the ‘right to be forgotten’ as the 1995 Data Protection Directive did not cover all aspects of these new scenarios in which search engines were handling personal data. In the case of Mario Costeja González, it was argued that the information which appeared in search results for his name, i.e. the links to the La Vanguardia article, were out-dated and irrelevant as the proceedings had been fully resolved for a number of years.
What exactly is the “Right to be Forgotten”?
On 13 May 2014, the EU court ruling stated that, under the “Right to be Forgotten”:
“Individuals have the right – under certain conditions – to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing (para 93 of the ruling).”
The important question to ask when looking at the overall picture is: are you really forgotten? The simple answer to this question would be no. There are some key aspects of the scope of the ruling that need to be looked at in order to fully understand how well it enables you to control your personal information online, the first of which is the “power of default”. The effect that the upcoming General Data Protection Regulation has on the support of the right to be forgotten also plays a critical role in allowing individuals to control the information that is shared about them online.
Why is the power of default important?
The “power of default” can be seen as the most important aspect. Since the ruling only affects search engines in Europe, if you request that your information is removed from google.co.uk, it can still remain available on google.com. In a recent article from the Guardian, this has been compared with closing the door but leaving all the windows open, i.e. it may not be possible to find a ‘uncensored’ listing of search results on the national search engine, but is still possible to find the it on google.com (or sometimes other country- or region-specific versions).
The argument made for this is that search engine users will default to the country- or region-specific version of the search engine (e.g. google.co.uk in the UK, google.es in Spain, google.fr in France). So, for example, when a request to delink to a Spanish page has been processed on google.es, the likelihood that it will be found by interested users is low. However, it is not impossible. An example of this can be seen when we search for “Mario Costeja González” in google.com and, on page 2 of the search results at the time of publishing, the article in question which Mr Costeja González actually requested and successfully had removed.
The assumption that users only search in their country- or region-specific search engines is an issue as this is an easy way to get around the restrictions put in place by the right to be forgotten. Therefore, the question remains, should this be a national, pan-European or global initiative? This is also discussed in the previously mentioned Guardian article from Luciano Floridi, a member of the Google Advisory Council on the Right to be Forgotten.
What does the General Data Protection Regulation (GDPR) have to do with it?
The current laws around data handling and data processing can be seen as ‘out-dated’ considering what has come into existence since the Data Protection Regulation was enacted in 1995. It did not account for many of the aspects of the digital age, such as the exponential growth and usage of online search engines and information sources as well as the fact that much personal data is now handled in digital format, meaning that it can be transmitted and handled internationally much more easily than it could have been 20 years ago.
So, when it comes to the Right to be Forgotten, the GDPR comes into play as much more data is being processed on an international level. Therefore, defining the rights of EU citizens and obligations of data handlers and processers (no matter where they are located) is crucial to how personal data is treated. As such, “non-European companies, when offering services to European consumers, must apply European rules”. This means that there is an obligation for the data controller who has made the personal data public to take ‘reasonable steps’ to inform third parties that the individual wants the data to be deleted.
The proposed GDPR will be significant in supporting the Right to be Forgotten as, not only will it update currently legislation on data handling and processing for the digital age, but it will enable the creation of “a single market for data in the European Union and streamlining cooperation between the Member States’ regulators”.
What do you need to do now?
As an individual, it’s important that you familiarise yourself with any personal information or other information that relates to you which is made available online. The simplest way of doing this is to Google your name and search through the results, click on the links that are available and make sure the information is relevant and accurate. This personal information can affect many areas of your life including job prospects, reputation and the security of your data. Whether we like it or not, an online presence is part of our lives and, as individuals, we need to make sure that we are being accurately portrayed and protected from the effects of any false, irrelevant, out-dated or sensitive personal information being shared about us.
As a business and/or data handler, it is important to assess methods for handling and processing the personal data of employees, clients, prospects and business partners. There are multitudes of cases, information about which are freely available through media sources, where the manner in which businesses handle, store and dispose of their data has been put in the spotlight. In most cases, the mismanagement of data has resulted in hefty fines and irreversible reputational damage to businesses. For this reason, securing and protecting the data is top of mind for many businesses at the moment as websites which store valuable customer, client or internal information are being targeted on a consistent basis, meaning that processes to secure and protect the data are an absolute requirement.
Based on our recent survey, in which 81% of IT managers admitted to being unfamiliar with the upcoming GDPR, the real issue in this area at the moment seems to be educating the relevant stakeholders with the information they require to fully understand the Right to be Forgotten and the proposed General Data Protection Regulation. This includes the legal and technical information they need to ensure that they are fully prepared to implement safe and secure practices in data handling and processing which meets the standard requirements of the RTFB and the upcoming GDPR.
Using our internal resources as a data management solutions provider, our team at Kroll Ontrack will be delivering educational webinars about the Right to be Forgotten and the General Data Protection Regulation to help our customers, partners and other interested individuals to fully understand the implications of the new regulations and empower them to take action where needed. This will include up-to-date information about the GDPR requirements as it develops. Join us for our upcoming sessions where you can find out what you need to know and ask our experts any questions you may have about your rights and responsibilities as an individual or as a business. You can also share your thoughts or questions in the comments section below.