The proposed Data Protection Regulation has been much highlighted of late. One of the more popular proposals relates to the so-called ‘Right to be Forgotten.’ In some quarters, the extent of the right appears to be controversial. To be more specific, certain internet companies appear voicing their concerns and, in some cases lobbying.
There are a number of ironies. Firstly, while such companies may be concerned about part or parts of the right to be forgotten, it is ironic to suggest that some of the most nimble, adaptable and technology aware companies cannot encompass some additional changes, if these are required by the right.
However, a further irony is that the right to be forgotten is not entirely new, as there are similar rights in the 1995 Data Protection Directive.
Article 17 of the proposed Regulation provides for the right to be forgotten and to erasure. It states,
‘1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially … personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent …, or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
(c) the data subject objects to the processing of personal data pursuant to Article 19;
(d) the processing of the data does not comply with this Regulation for other reasons.
2. Where the controller … has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
3. [exceptions]
4. Instead of erasure, the controller shall restrict processing of personal data where:
(a) their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;
(b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof;
(c) the processing is unlawful and the data subject opposes their erasure and requests the restriction of their use instead;
(d) the data subject requests to transmit the personal data into another automated processing system in accordance with Article 18(2).
5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof, or with the data subject’s consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.
6. Where processing of personal data is restricted pursuant to paragraph 4, the controller shall inform the data subject before lifting the restriction on processing.
7. The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.
8. Where the erasure is carried out, the controller shall not otherwise process such personal data.
9. The Commission [may] specify[]:
(a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations;
(b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2;
(c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.’
Certain internet companies appear to be lobbying in order to restrict the right to be forgotten to personal data which individual data subjects have themselves divulged or uploaded. However, it does not take much to think of many examples which would fall outside of such a limited right to be forgotten. In such instances it is therefore possible for individuals, even children, to be left without protection and remedy.
Just recently the Information Commissioner’s Office imposed a fine of £250,000 in relation to a data breach/data loss incident where the personal data of millions of users was lost in separate incidents. Now we have an acknowledgement from Twitter that the e-mails, accounts and passwords of 250,000 of its users were breached in a hacking incident. Notwithstanding issues such as obligations on data controllers to notify customers and users when their personal data has been lost, accessed, etc, the sought after confinement of the right to be forgotten could mean that millions of data subjects would not be able to call upon their rights under the right to be forgotten if hackers, etc., post data online or otherwise disclose it.
While we marvel at the ever evolving wonders of technology and the internet, we are also coming to increasingly appreciate that on occasion there can be a dark side too. The many forms of online abuse (trolling, defamation, threats, breach of privacy and data protection, etc) can involve third-party material not put online by the victim. It can also involve the taking of a victim’s personal data from one location source and placing it or using it in an entirely different context; such use of data may be use which the victim not only has not consented to but would be positively horrified about.
These are all serious issues. It is unfortunate that we are witnessing a growing list of victims who commit suicide attributed to online abuse on social networks. There are even larger numbers of victims whose quality of internet experience is significantly diminished.
When the dark side of the internet surfaces, the right to be forgotten may prove to be the means by which internet web sites and victims of online abuse can restore balance and a safe(r) internet environment.
As is recognised in the proposed (or expanded) right to be forgotten, there is a clear risk that children are not yet fully aware of the dangers inherent in putting information online. Equally, they may not fully appreciate the importance of privacy setting and tools (when and where available). There are compelling reasons for young persons to be able to take embarrassing information down from the internet when they seek to apply to schools, universities or employment, when that data could otherwise have a detrimental influence upon such applications. Limiting the right would undermine the legitimate interests of children and young persons in protecting themselves.
We are only just entering the era of so-called digital natives, so it is too early to automatically assume that adults may not have legitimate interests in seeking to have online information deleted at some stage. One example that comes to mind is the advent of ‘revenge porn’ whereby ex-partners upload intimate pictures – again without consent. Limiting the right to be forgotten to directly uploaded images, etc, could mean that victims of revenge porn are devoid of redress. (See Guardian article in relation to revenge porn, by Jill Filipovic, 28 January 2013, available at http://www.guardian.co.uk/commentisfree/2013/jan/28/revenge-porn-degrades-women?INTCMP=SRCH).
At its essence the right to be forgotten is not about forgetting per se, it is about protection. It protects the privacy and personal data of individuals. In so doing it can be an essential safeguard against the dark side of the internet. At the same time, it can assist internet companies in protecting and enhancing the safety and quality of the user internet experience.
Whatever about trolls, no respectable business model for the internet seeks to include, permit or promote online abuse. The right to be forgotten complements responsible internet web sites.
These and similar issues will be in focus at the National University of Ireland Galway symposium entitled ‘Privacy from Birth to Death and Beyond: European and American Perspectives’ on 8 March 2013, jointly organised by the LL.M. in Public Law and the LL.M. in Law, Technology and Governance. Details are available at http://www.conference.ie/Conferences/index.asp?Conference=211.
Paul Lambert is a solicitor at Merrion Legal Solicitors
