Right to be Forgotten - what you need to know
Pretty much everyone has heard of the EU's GDPR (General Data Protection Regulation), as it was high up in the headlines as a proposed regulation prior to it coming into force in 2018.
The GDPR applies to all European Union member states and lays out the regulations regarding data collection, data protection and the rights of data controllers and individuals.
The Right to be Forgotten is Article 17 of the GDPR and it gives people the right to control their own data under certain circumstances.
Let's have a closer look at the right to be forgotten, how it works, and why this European Data Protection law impacts everyone in one way or another.
What is the Right to be Forgotten?
The Right to be Forgotten is the human right of the individual to request information be removed from Internet search engines and other online directories under certain, specific circumstances.
There has been a form of the right to be forgotten present in the EU since 2006, with long-standing discussions surrounding the careful balance necessary between the right to freedom of expression and free speech and people's rights to their own data and data protection.
Get in touch with Niki our online reputation expert today, in complete confidence.
History of the Right to be Forgotten
As a concept, the Right to be Forgotten has been under discussion and put into practice in various jurisdictions, including the Philippines, Argentina and the European Union, for many years.
The whole idea of a right to be forgotten derives from people wanting autonomy over their data, without it being used to stigmatise them in the future. In other words, people want the right for their past actions - or simply incorrect historical information about them - to be scrubbed from the Internet so that third parties can't use it against the.
Criminal convictions are the obvious example of the kind of data use that could adversely impact the data subject.
The Right to Be Forgotten: Two years on
|
Read more
Common arguments against the right to be forgotten
Controversy surrounds the very concept of an individual's right to be forgotten and ability to remove data from search engines.
Those arguing against the right to be forgotten in terms of data protection question the practicalities of treating such a right as an actionable, international human right.
Vague and differing regulations and differing rulings regarding its implementation contribute towards the ambiguity of applying this as a human right in practical terms.
The potential impact of such a right on other rights also causes controversy. For example, how is it possible to square the right to be forgotten with the right to freedom of expression? Furthermore, how does it work with the right to privacy and is it possible that the implementation of the right to be forgotten would lead to a less high-quality search function?
However, those who argue for the right to be forgotten citing circumstances such as revenge porn and the damage it does to people as a clear reason for it to exist. The same argument in favour includes instances of search results picking up someone's past criminal convictions or personally identifiable information.
Personal Reputation Management
|
Read more
From concept to implementation - the right to erase personal data
It all comes down to online reputation and its vital importance in the lives of individuals and the functionality of businesses.
Previous data protection laws in the European Union also intended to ensure that information about people shouldn't be used to damage them. However, this was largely predicated on the basis of a right to erasure, which was less all encompassing.
In the UK, there has been a long-held understanding that certain information (including a criminal conviction) about an individual should be 'spent' after a specified period of time. This can be seen with the Rehabilitation of Offenders Act, which was put in place in 1974.
The French Government also recognises, in law, 'le droit a l'oubli', which was first implemented in 2010.
So, while the 'right to be forgotten' as a term is relatively new, the ideas behind it are not.
European Court ruling in favour of the data subject over search engines
In 2014, the right to be forgotten was first officially recognised as a human right by the European Court of Justice. This was due to the ruling made in the case of Google Spain v Agencia Espanola de Proteccion de Datos, Mario Costeka Gonzalez.
The decision was that the search engine operator (in this case, Google) must consider legal claims from people to remove their data from Google search results according to certain circumstances.
These are:
- That the search results are inadequate.
- That the search results are irrelevant or no longer relevant.
- That the search results are excessive given the length of time since publication.
The seeds of the current General Data Protection Regulation can be found in the EU's implementation of the Data Protection Directive in 1995. This directive was brought in to provide regulation for the processing of personal data. Today, this is part of human rights law.
Managing Your Personal Information Online
|
Read more
Protecting the rights of individuals pertaining to data
As we've seen, the history of the RTBF has grown out of the concept that after a certain amount of time, a person’s past should not be considered when they seek employment.
The advent and development of the Internet, along with sophisticated search engines such as Google and Bing, made this kind of information very easy to find. Any employer can simply enter the applicant's name into a search engine and find out about their background in detail.
Should this adversely impact to applicant's chances of being employed due to old content or personal information that is no longer relevant, then it would fall under the right to be forgotten.
The Spanish case mentioned earlier revolved around a newspaper announcement about a forced property sale that was required to settle a debt. In 2009 Costeja (the data subject) contacted the newspapers to remove the record because the information had been found when searching for his name.
When the newspaper denied the request, Costeja contacted Google Spain to remove the search result. Google refused and eventually the courts ruled that Google had to remove the search results as it was a valid request, but the newspaper didn’t have to remove the original article.
And this is the ruling that effectively established precedence and validated the right to be forgotten law. However, a case in 2019 ruled that Google does not have to apply the law outside of the European Union and the UK.
Is any company exempt from compliance with GDPR?
In May 2018, the General Data Protection Regulation (GDPR) came into force. Created, as we've seen, to give individuals more control over their own personal data, the GDPR also governs and how that data is stored by third parties such as retailers, social networks or publications.
While the GDPR does make provisions for exemption for media companies, Google chose not to opt in to this. Therefore, as Google isn't categorised as a media company, it is not protected from the GDPR or the right to be forgotten.
The EU categorises Google as a data controller for the purposes of the data protection directive. All data controllers are legally required, in every EU member state, to delete data that is "inadequate, irrelevant or no longer relevant".
This is why the GDPR and the right to be forgotten have international and global implications. However, this ruling only applies to personal data. You cannot use the right to be forgotten to request that any business or commercial content, images or video are removed from Google's search results.
The future of data protection for individuals
The Right to be Forgotten is also referred to as 'the right to erasure' and has been EU law since 2018. In the UK, it comes under the post-Brexit Data Protection Act of 2018, which follows the EU's legislation.
This concept that gives individuals the civil right to ask search engines to remove personal data relating to them is a major step forward in the data protection. Information that comes under an erasure request can be any form of written content, such as blog posts, media articles or comments on a news story, images and videos.
Companies must consider RTBF requests individually and without prejudice
Given the broad strokes of the right to be forgotten, it's not surprising that it has come under fire from businesses and anti-censorship advocates.
Companies have a legal obligation to comply with the law without undue delay. This means that they must act upon a valid verbal request (or written) as soon as it is made, or face financial penalties.
The cost for the individual to request that a company meets its legal obligation varies depending on the content itself. For example, the amount or type of content informs the cost of making the request.
Reputation management experts such as Igniyte can help you exercise your right to be forgotten, with costs starting at a reasonable fee of £750 plus VAT.
Your rights under the Right To Be Forgotten
The GDPR applies to every EU member state - and any organisation that uses EU citizens' data and has done so since 25 May 2018.
Article 17 keeps the 1995 Directive’s intent to allow people to request their data is deleted when it’s no longer relevant. It also increases this right, to give people more control over who can access and use their data.
The RTBF gives individuals the chance to override perceived public interest in information about themselves.
If you are an EU citizen, you can ask an organisation to delete information or data they hold about you, without undue delay. This offers an avenue to protect a person's online reputation from being available to any and all Internet users.
Criteria for data privacy law to be effective
Under GDPR, an EU citizen can request that an organisation deletes the data subject's information if:
- The data originally collected is no longer relevant to the reason it was collected and contains sensitive personal information or if such information is considered to be outdated information.
- The person withdraws their consent for their data to be used (and the organisation has no other legal basis for collecting it).
- The person is objecting to the data being collected for direct marketing purposes. Or where their rights are overriding legitimate interest or legitimate interests in managing their data.
- The individual's data was unlawfully processed or considered sensitive data.
- Deleting the data is legally required.
- The data belongs to a child.
In all of these cases, the organisation must ensure the personal data erased the data as soon as possible.
If the personal data is in the public domain and can be found via Google or any other search engines, the organisation (also known as the data controller) must take “reasonable steps, including technical measures” to inform any other entity processing the data that the subject wants it to be removed.
However, if the data is deemed to be in the public interest, the requests don’t have to be honoured by the data controller.
What about the UK's right to be forgotten following Brexit?
All data protection rules stipulated within the EU's GDPR still apply to UK data processing. Some sections of GDPR were enshrined into UK law as part of the European (Withdrawal) Act.
There will be no change in the foreseeable future. However, it's not impossible that changes could now be made to personal data processing and the data subject's rights by the UK Government now that it is no longer under the jurisdiction of the European Parliament.
More details on Article 17 of the General Data Protection Regulation
Article 17 of the General Data Protection Regulation (GDPR) is officially called the 'right to erasure' but is often referred to as the right to be forgotten.
According to Article 17, any individual can request to a data controller that their own personal data be removed without any delay, and without incurring any costs to the person making the request.
This data includes any files in a database, including any backups, or anything that has potentially been moved to an archive. For example, data collected for the purposes of preventative or occupational medicine, information society services, statistical purposes, for scientific research or historical research.
GDPR terminology for the right to be forgotten
Companies use the terms data controller and data processor as they are clearly defined under and as they apply to GDPR.
Data controller refers to the person, organisation or entity that holds or processes personal data but does not exercise responsibility for or control over the personal data. For example, a cloud provider is considered to be a data processor.
A data processor can not hold copies of data, or make them available for other uses. The controller is responsible for deleting personal data and ensuring that it has been erased.
The individual whose data is held is the data subject and it is the data subject's right under GDPR to make multiple requests providing they meet the criteria.
When can I ask for my personal data to be deleted from Google or other directories?
Provided you live in a jurisdiction that is covered by the right to be forgotten or similar local laws concerning personal data, then you can make a request for it to be forgotten online.
Under these circumstances, you are the data subject and in order to ensure that a right to be forgotten request is made properly, you'll need to submit a Data Subject Access Request (DSAR) to remove or request what personal data a company holds about you.
That doesn’t mean that the controller will (or should) complete every right to be forgotten request to erase personal data. This is due to the legal differences between public, private and erroneous data that would need to be considered regarding personal data.
However, if they do agree to the removal request and erase all the versions of personal data that you want to see removed, then it can no longer show up in an Internet search result for someone else.
Can I remove unwanted content about myself online?
If an individual objects to the use of personal data about them, then they can make the request. However, as we've seen, there are specific criteria.
You can not request that information is removed simply because you do not like what you see. But in many cases, such as a health professional looking for a new job or a celebrity with a high level of visibility in public life, there are urgent reasons to want to make the request.
RTBF requests involve erasing personal data from search engines, such as Google search. This can include press coverage, outdated articles, pictures, or videos - anything that can be seen in public life. Even social media and directory services that publish your personal information will be considered.
There is no 'one size fits all' rule and any request will be looked at on a case-by-case basis.
What do I need to request that Google removes my data?
Google has a long-established procedure for dealing with these requests and removes links in some cases. You can use this form to submit a RTBF request.
When you make an application, Google will balance your privacy rights with what’s in the public’s interest to know along with the right to distribute information. This is where it helps to have professional advice and consult experts like Igniyte, who can investigate the legal aspects for you.
It’s also worth knowing that the Right to Be Forgotten also needs balancing against other rights, including freedom of expression. So, if the information is considered to be in the public interest it's unlikely to be removed.
How do I apply for the right to be forgotten?
To submit a request under the EU RTBF law, you need:
- An EU passport or driving licence to prove your identity.
- Details of the web address or link that you are requesting to be removed.
- The full search term, for example, your name.
- Reasoning as to why you feel the link is ‘irrelevant’, ‘not in the public interest’ or ‘outdated’.
Be aware, that this reasoning should be aligned to the EU ruling and cite law wherever possible. The reasoning must be persuasive enough that Google will consider it favourably against what's considered to be in the public interest.
Reasons why Google could refuse an application
Google will assess requests case by case. The search engine can ask you for more information to inform its decision. But the main thing to note is that Google will balance your privacy rights with what’s in the public interest to know and the right to distribute information.
Google can and does refuse applications where there is an alternative solution, technical reason, or duplicate URL.
Many factors are considered. These include the person’s professional life, a past crime, the need for professional secrecy, or whether they are in a political or public position. Or it could be whether the content is self-authored, is in an open document, or is journalistic.
Is every request for removal honoured by Google?
According to Google's transparency report, during the first five years of the implementation of the right to be forgotten, it received around 3.2 million requests to delete links from more than half a million individual requesters.
From these, Google determined that 45% met the criteria sufficiently well to be delisted. This shows just how much supporting evidence you need to make your request and have it adhered to.
Deciding whether the individual's data should be removed comes up against the public interest and it is not always clear which will come out on top. However, it is an absolute fact that an organisation such as Google must look into every single request on a case-by-case basis.
An advisor to the EU Court of Justice reiterated in April 2022 that search engines are legally obligated to look into the accuracy of every delinking request that is made. This advice from Advocate General Giovanni Pitruzzela derived from a German case involving two financial service companies accused of wrongdoing by a blog that the applicant says is extortion.
How can a Reputation Management company help with the Right to be Forgotten?
In theory, an individual can make an erasure request verbally or in writing. The law does not require that a specific form is filled or a particular individual is the recipient of requests.
But as you can see, it’s not always straightforward and it may be that Google or other search engines will consider the request not to be in the public's interest.
When deadlines haven’t been met, or your application has been ignored, then it’s good to know that help is at hand through established reputation management companies.
Our experience making requests can be essential when the situation is heading towards the need for legal claims to ensure action is taken. Fighting against what is considered to be in the public interest can feel like an uphill battle, but a team of experts and experienced professionals can help move it along.
For more information, and to find out how Igniyte can help you with requests, please get in touch. The cost to remove articles or images can vary depending on the amount and types of content but should always be a reasonable fee.
