Sylwia Żyrek
RIGHT TO BE FORGOTTEN AND RIGHT TO ERASURE: IN SEARCH OF NEW
STANDARDS
The objective of this study is to examine construction and added value of the right
to be forgotten as described in draft proposal on General Data Protection
Regulation1. Therefore introductory paragraph describes the idea of oblivion and
historical development in rights protecting privacy that led to conceptualisation of
right to be forgotten. Second part examines effective measures adopted in Member
States that aim to protect same value as the aforementioned right. Subsequent
section is a case study that illustrates how those measures handle with solving
actual problems. The final paragraph examines the mechanism of the eponymous
right – it’s crux, material and personal scope and exceptions. Conclusions of this
article contain comparison between effective legal measures and newly proposed
standard and are supplemented by remarks on advantages, disadvantages and
constitutional problems related to its adoption.
1. Introduction
Is time an illusion?
This problem remained unsolved by scientists but if we realise that since its inception
in 1998 Google had stored every search query every user ever made and every search result
she ever clicked on 2 it is really hard to resist feeling that Internet turns our past into
everlasting present. Albert Einstein did not need lifelogging applications on his iPhone to
figure out that that there is no single special present and all moments are equally real 3 but
would not we rather forget about it?
Forgetting is an essential part of human memory4. Our brains continually overwrite
memories because without forgetting remembrance would be impossible5. Human memory
1
Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with
regard to the processing of personal data and on the free movement of such data , SEC(2012) 72 final, available
at: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf [last access: May 1,
2014], hereinafter: Draft Regulation.
2 Viktor Mayer-Schönberger, “Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing,”
Harvard University, John F. Kennedy School of Government, Working Paper Series, 1/2007, 2007, 1.
3
Craig
Callender,
“Is
Time
an
Illusion?,”
Scientific
American,
June
2010,
http://www.scientificamerican.com/article/is-time-an-illusion/.
4 Edward Carter, “Argentina’s Right to Be Forgotten,” Emory International Law Review 27–39, no. 1 (2013):
36.
1
curve is steep, as our brains have developed the ability to recognize memories that are not
likely to be needed in future and consequently to place a low priority on them6. Therefore past
means for ours brains erasure of useless information.
On the Internet time is an illusion. As search is central to functioning of Internet, and
accuracy has become central to search7 time of uploading content become slightly irrelevant.
Contrary to human brain search engine assumes that all of the information might be once
accurate for someone and therefore Internet never forgets8.
But we do not want Internet to remember every our click and every content once
posted online forever. Such permanent record in Google search results constitutes a threat to
our identities. Individual should have a right to define oneself9, change habits, political views,
religion, make mistakes and have a fresh start. Unfortunately in the search engine one cannot
see the lapse of time and evolution of opinions; every link looks equally real. Therefore
people who look for information about us – like prospective employers 10 or college
authorities – could get a false impression and on its base make a serious decision that
influence our future.
In bigger danger are minors who were born surrounded by social media applications
and consider lifelogging daily activities normal. They are completely unaware of
consequences of having entire adolescent history recorded and made accessible for everyone.
But the truth is that in face of the rapid development in technology and psychology we are all
minors unaware of future consequences of posting data online. Applications and websites that
we currently use gather information not only about our search history, but also about location,
5
John T. Wixted, “The Psychology and Neuroscience of Forgetting,” Annual Review of Psychology 55, no. 1
(2004): 264.
6 Lael J Schooler and Ralph Hertwig, “How Forgetting Aids Heuristic Inference,” Psychological Review 112,
no. 3 (July 2005): 624.
7 Jonathan Zittrain, “Reputation Bankruptcy :: Future of the Internet – And How to Stop It.,” accessed May 9,
2014, http://blogs.law.harvard.edu/futureoftheinternet/2010/09/07/reputation-bankruptcy/.
8 Jeffrey Rosen, “Free Speech, Privacy, and the Web That Never Forgets,” Journal on Telecommunications &
High Technology Law 9, no. 2 (Spring 2011): 345.
9 Norberto Nuno Gomes de Andrade, “Oblivion: The Right to Be Different … from Oneself. Reproposing the
Right to Be Forgotten,” IDP. Revista de Internet, Derecho y Política 0, no. 13 (March 15, 2012): 125,
doi:10.7238/idp.v0i13.1375.
10 See Snyder v. Millersville Univ., 2008 U.S. Dist. LEXIS 97943 (E.D. Pa., Dec. 3, 2008); Stacy Snyder was
„young woman who was about to graduate from teachers college, and days before her graduation her employer,
a public high school, discovered that she had posted on MySpace a posting criticizing her supervising teacher
and a picture of herself with a pirate’s hat and a plastic cup and she had put the caption “drunken pirate” under
it.The school concluded that she was behaving in an unprofessional way and promoting underage drinking.
Therefore, they did not allow her to complete her student teaching practicum.As a result, her teachers college
denied her a teaching certificate.” Rosen, “Free Speech, Privacy, and the Web That Never Forgets,” 346.
2
browsing habits, reading behaviour11, condition, emotions and many more12. All of those in
conjunction with unprecedented forms of data matching, de-anonymization and data mining
are used to create extensive “digital dossiers”13 that we hardly know in which purpose are
used for.
For the last few years there has been a very fruitful discussion about finding new
standard in context of protection of our privacy and identity online. Issue of the judgement in
case Google Spain and Google14 where the Court of Justice of European Union (hereinafter:
CJEU) declared that Google must respect right to be forgotten15 is a good occasion to sum up
its outputs.
This paper aims to compare effective legal measures protecting identity online with
standards proposed by European Commission in Draft Proposal and by scholars. Hence, the
following paragraphs examine history of the right to be forgotten, effective legal measures
adopted on supranational and Member-State level that are used to induce similar effect to the
right and illustrate with actual case-law how they handle with recent problems. The last part is
devoted to analysis of the aforementioned right as described in the Draft Regulation.
Examination contains substance, material, personal and territorial scope of application,
exceptions, sanctions and possible consequences of implementation. In conclusion author
claims that this proposition solves urgent problems but needs to be improved in order to
eliminate doubts as to scope of its application and potential dispute with values protected on
constitutional and conventional level.
1. Protection of privacy in context of image
1.1.
Retrospection
Concepts focused on protection of individual’s image origin from right to privacy16. In
Europe this right is considered to be a personal right predicated on dignity17 that has been
11
Jef Ausloos, “The ‘Right to Be Forgotten’ - Worth Remembering?,” Computer Law & Security Review 28,
no. 2 (2012): 4.
12 See for example: Alessandro Fantechi et al., “An On-line System for Automated Recognition of Human
Activities,” European Journal of Law and Technology 4, no. 2 (August 12, 2013),
http://ejlt.org//article/view/189.
13 Meg Leta Ambrose and Jef Ausloos, “The Right to Be Forgotten Across the Pond,” Journal of Information
Policy 3 (2013): 5.
14 Judgement Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD), Mario
Costeja González, C‑ 131/12, ECLI:EU:C:2014:317.
15 Foo Yun Chee, “European Court Says Google Must Respect ‘Right to Be Forgotten’,” Reuters, May 13, 2014,
http://www.reuters.com/article/2014/05/13/us-eu-google-dataprotection-idUSBREA4C07120140513.
16 Some authors distinguish between right to have data protected (procedural right) and substantive – right to
privacy (referring to information that are not disclosed) and right to identity (that refers to information that
3
explicitly introduced by Article 8 of the European Convention on Human Rights (hereinafter:
ECHR). Charter of Fundamental Rights of the European Union also gives protection to this
right and supplies it with right to protection of personal data (Article 8) 18. What is more,
European countries are also signatories of Convention 108 of the Council of Europe that
focuses especially on automatic processing of personal data19.
The ‘idea of erasure’ of data was first introduce by the 1995 Data Protection Directive
(95/46/EC)20 but the construction itself derives from French concept of le droit à l’oubli21.
Right to oblivion22 protects a convicted criminal who has served his sentence from not being
confronted with information concerning his criminal past23. This conception is based on aims
of criminal sentence. Criminal punishment is supposed to bring back justice on the one hand
and influence the criminal’s behaviour so as to prevent him from committing crimes in future,
on the other. Thus, some time after the sentence has been served the punished person should
be able to reintegrate into society free from having past experience ruin his reputation24.
Subsequent to the Data Protection Directive was the Stockholm Program 25 that
produced five-year plan for Member States concerning inter aila exercise of privacy within
the promotion of fundamental rights26.
Finally in 2012 European Commission presented Draft Proposal that seeks to give
individuals more control over their personal data by means of right to be forgotten and data
portability27,28.
constitute ones image; see: Gomes de Andrade, “Oblivion: The Right to Be Different … from Oneself.
Reproposing the Right to Be Forgotten.”
17 Laura Lagone, The Right to Be Forgotten: A Comparative Analysis, SSRN Scholarly Paper (Rochester, NY:
Social Science Research Network, December 7, 2012), 2, http://papers.ssrn.com/abstract=2229361.
18 Ambrose and Ausloos, “The Right to Be Forgotten Across the Pond,” 6.
19 Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of
Personal Data, No. 108, Jan. 28, 1981. In late 2010 the Council initiated a process to modernize this convention.
See Council of Europe, “Modernization of Convention No. 108,” accessed Feb, 14, 2013,
http://www.coe.int/t/dghl/standardsetting/dataprotection/modernisation_en.asp.
20 Muge Fazlioglu, “Forget Me Not: The Clash of the Right to Be Forgotten and Freedom of Expression on the
Internet,” International Data Privacy Law, May 27, 2013, 1, doi:10.1093/idpl/ipt010.
21 Emily Shoor, “Narrowing the Right to Be Forgotten: Why the European Union Needs to Amend the Proposed
Data Protection Regulation,” Brooklyn Journal of the International Law 39, no. 1 (2014): 492.
22 For definitional and terminological difficulties in translating those term see: Napoleon Xanthoulis, “Right to
Oblivion in the Information Age: a Human-rights Based Approach,” US-China Law Review, no. 10 (2013): 86.
23 Lilian Mitrou and Maria Karyda, EU’s Data Protection Reform and the Right to Be Forgotten: A Legal
Response to a Technological Challenge?, SSRN Scholarly Paper (Rochester, NY: Social Science Research
Network, February 5, 2012), 7, http://papers.ssrn.com/abstract=2165245.
24 Robert Kirk Walker, “The Right to Be Forgotten,” Hastings Law Journal, no. 64 (November 20, 2012): 272,
http://papers.ssrn.com/abstract=2017967.
25 European Commission, ‘Action Plan on the Stockholm Programme’ (Communication) COM (2010) 171 final.
26 Fazlioglu, “Forget Me Not,” 2.
4
1.2.
Current means protecting individuals from damage caused by data posted online
1.2.1. Supranational level
Right to privacy is protected both by ECHR and EU Charter but it does not
automatically mean that in every case right to privacy obtains protection. While individuals
that have theirs right violated by journalistic publications seek to get injunction and have
materials put down from the Internet European Court on Human Rights (hereinafter: ECtHR)
interprets the provisions of Convention related to freedom of expression in the way that
forbids courts rewriting history by imposing such drastic sanctions29. Thus sometimes right to
privacy must give way to freedom of expression.
On supranational level only Directive 95/46/EC30 provides an express regulation that
orders Member States to empower individuals in a useful tool that gives them control over
their data. Right to erasure as constituted in Article 12(b) sets forth that Member States shall
guarantee every data subject the right to obtain from the controller as appropriate the
rectification, erasure or blocking of data that is incomplete or inaccurate. Consequently,
individuals within the EU could enforce this right pursuant to regulations implemented by
Member States.
Case law of CJEU clarifies that this provision and Article 14(a) should be interpreted
in a way that obligates the operator of a search engine to remove from the list of results
displayed following a search made on the basis of a person’s name links to web pages,
published by third parties and containing information relating to that person. It is irrelevant
whether the information is not erased beforehand or simultaneously from those web pages and
publication in itself on those pages is lawful 31 . What is more, individuals are entitled to
invoke this right regardless of (lack of) prejudice caused to them by the information32.
27
European Commission, ‘Commission Staff Working Paper’ SEC (2012) 73 final, 5.
According to COM(2010) 609 final data portability is a right for an individual to withdraw his/her own data
(e.g., his/her photos or a list of friends) from an application or service so that the withdrawn data can be
transferred into another application or service, as far as technically feasible, without hindrance from the data
controllers.
29 Węgrzynowski and Smolczewski v. Poland, Application No 33846/07, Merits and Just Satisfaction,16 July
2013.
30 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data ,Official
Journal L 281 , 23/11/1995 P. 0031 – 0050, hereinafter: Directive on data protection.
31 Google Spain and Google, op. cit., rec. 88.
32 Ibid., rec. 96.
28
5
As to enforcing rights referring to privacy online useful solutions provide Regulations
Brussels I 33 and Rome I 34 . Article 16 of the former states that a consumer may bring
proceedings against the other party to a contract either in the courts of the Member State in
which that party or consumer is domiciled. Article 6(1) Rome I sets forth that contract
between consumer and professional shall be governed by the law of the country where the
consumer has his habitual residence if the latter pursues his commercial or professional
activities in the country where the consumer has his habitual residence, or by any means,
directs such activities to that country.
In the present case it means that anytime consumer’s rights regarding privacy have
been violated and between consumer and service provider (like Facebook Inc. or Google Inc.)
contractual relationship could be identified, the consumer could lodge his claim before his
national courts and national law applies, regardless of what was imposed by standard form
contract 35. After the Regulation on Online Dispute Resolution 36 comes into force in 2015
disputes of this kind could be solved using sole online platform.
1.2.2. Member State level
Member States in general have not yet regulated any specific measures regarding
protection of image online. It does not necessarily mean that in case of damage individuals are
deprived of judicial protection. In fact, some of the cases fall within the ambit of civil,
tortious and criminal regulations.
Most of the civil law countries have long respected personality rights that include the
right to control both usage of one’s image and protect reputation 37 . For instance Polish
Kodeks cywilny in Article 24 provides very broad formula where anyone whose personality
right is endangered by other person’s act could demand cease of such act unless it is not
unlawful.
33
Regulation No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of
judgments in civil and commercial matters.
34 Regulation No 593/2008 of 17 June 2008 on the law applicable to contractual obligations.
35 According to Article 16(1) of Facebook of the Statement of the Rights and Responsibilities user shall resolve
any claim, cause of action or dispute (claim) that arises out of or relating to this Statement or Facebook
exclusively in the U.S. District Court for the Northern District of California or a state court located in San Mateo
County, and agrees to submit to the personal jurisdiction of such courts for the purpose of litigating all such
claims. The laws of the State of California will govern this Statement, as well as any claim that might arise
between user and FB, without regard to conflict of law provisions. Unfortunately to Facebook this provision
could be classified as unfair term in the meaning given by Article 3 of Directive 93/13/ECC and therefore is not
binding. In lieu thereof Rome I and Brussels I regulations apply.
36 Regulation No 524/2013 of 21 May 2013 on online dispute resolution for consumer disputes and amending
Regulation (EC) No 2006/2004 and Directive 2009/22/EC
37 Jeanne Hauch, “Protecting Private Fact in France: The Warren & Brandeis Tort Is Alive and Well and
Flourishing in Paris,” Tulane Law Review, no. 68 (1994 1993): 1228.
6
Approach that is more focused on the right to privacy provides French Code Civile.
Article 9 38 states that everyone has the right to respect for his private life and therefore
without prejudice to compensation for injury suffered, the court may prescribe any measures
(e.g. sequestration or seizure) appropriate to prevent or put an end to an invasion of personal
privacy.
Privacy rights aims to cease a breach, however if such breach causes damage then
general provisions relating to compensation of loss applies. Referring to French example, if
an individual suffered loss then he could claim damages according to Article 1382 Code
civile. It provides classical, tortious formula that any human act whatsoever which causes
damage to another, obligates him by whose fault the act occurs to repair the damage 39 .
Similar solution is established in Polish Kodeks cywilny40.
When harming behaviour is also reprehensible some jurisdiction classify it as crime
(like in Poland41 or German42), while other remain tortious (like in Netherlands43).
Summing up, current measures adopted by Member States identify the problem
protection of individual’s image. However, as civil law measures they are based on terms of
breach, loss and causation and therefore they do not always provide flexible remedy.
Issues related to the privacy in Internet evolve for all the time and slips from classical
terms of breach, loss and causation. Securing privacy of data is not as much concerned about
bringing back justice as civilistic measures. For sake of protecting privacy on the Internet it is
not that important who posted content and how many chains were between him and a person
empowered in tools that enables erasure of the content. It is also irrelevant whether a data
subject suffered financial loss or trauma. The major point is to have the unwanted, misleading
information put down or rectified. Who, why and with which measures could demand it
remains an open question.
1.3.
New proposals
Securing privacy of people living in the digital age is a great challenge both for
lawyers and computer scientist and consequently many proposals arose. The most widely
38
Article 9: Chacun a droit au respect de sa vie privée. Les juges peuvent, sans préjudice de la réparation du
dommage subi, prescrire toutes mesures, telles que séquestre, saisie et autres, propres à empêcher ou faire cesser
une atteinte à l'intimité de la vie privée : ces mesures peuvent, s'il y a urgence, être ordonnées en référé.
39 Hauch, op.cit., p. 1232.
40 Polish Civil Code divides losses on pecuniary and non-pecuniary, and therefore establishes Article 415 that is
similar to French Article 1382 and deals with financial loss and Article 448 which covers cases concerning nonfinancial loss.
41 Article 212 of Polish Criminal Code.
42 §185-189 of German Criminal Code.
43 Article 167 of book 6 of the Civil Code of Netherlands.
7
recognized is right to be forgotten. What is substratum of this right is a bit ambiguous but in
simple words it could be described as “the right of individuals to have their data no longer
processed and deleted when they are no longer needed for legitimate purposes 44”. Further
analysis of this problem contains point 3 of this paper.
An alternative solution to adoption of the right to be forgotten was proposed by Viktor
Mayer-Schönberger and consists in giving data expiration date 45 . According to MayerSchönberger, it would allow users to determine the length of time they want something to
remain online; consequently the data could pass from non-human memory just like it would
pass from human memory46. This approach is a subject to some criticism. From a user’s
standpoint it might be difficult to establish at the moment of posting content how long should
it be available online. Thus, annoyed user who posts lots of information daily and is not much
concerned about future of information would automatically set the longest processing period
or turns off this option.
Despite criticism on theoretic fields the idea of developing technology to make digital
data disappear after a specified period of time is nothing new. Flash memory chips adopted it
00s. In 2009 it was announced that computer scientists have developed a way to make
electronic messages “self destruct” after a defined period of time just like messages in sand
lost to the surf47. TigerText48 could serve as an example of platform that makes use of this
construction. This is a cross-platform application that sends text messages with limited
lifespan that will be deleted when the information contained is no longer required49. There has
also been an idea of implementing expiration date of information by measures exploiting
encryption based on symmetric key 50 51 but they failed owing to the nature of Internet.
Mechanisms aiming to erase non-textual content that was sampled by certain key turn out to
44
Communication from the Commission to the European Parliament, the Council, the Economic and Social
Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the
European Union, COM(2010) 609 final, p. 8.
45 Viktor Mayer-Schönberger, Delete: The Virtue of Forgetting in the Digital Age (Princeton N.J.: Princeton
University Press, 2011).
46 Ibid., 183.
47 John Markoff, “New Technology to Make Digital Data Self-Destruct,” The New York Times, July 21, 2009,
sec. Science, http://www.nytimes.com/2009/07/21/science/21crypto.html.
48 http://www.tigertext.com/
49 Shoor, “Narrowing the Right to Be Forgotten,” 513.
50 This kind of applications allow users „automatically to erase designated photos using electronic keys that
expire after short periods of time, obtained by solving a CAPTCHA, one of those graphics that are impossible to
read where you have to type in fixed-number combinations. The application ensures that once the timestamp on
the photo has expired, the key disappears.” Jeffrey Rosen, “The Deciders: The Future of Privacy and Free
Speech in the Age of Facebook and Google,” Fordham Law Review 80, no. 4 (March 19, 2012): 1535.
51 For instance Vanish (http://vanish.cs.washington.edu) or X-Pire! (http://www.backes-srt.de/produkte/x-pire)
8
be helpless in the environment where every file could be downloaded and duplicated ad
infinitum52.
Some other authors point that right to be forgotten and idea of expiration date on
information are complementary. Implementing expiry dates on certain forms of data gives
control over the data while right to be forgotten provides further autonomy53.
Another alternative for a right to be forgotten is a scheme for online reputation
insurance introduced by Evgeny Morozov 54 . According to Morozov netizens need a
mandatory insurance scheme for online disasters. If an accidental disclosure of information
made information tsunami that destroy one's reputation the way a real tsunami can destroy
one's home then user could claim monetary compensation that would let him start a new life
or use one of those start-ups to improve online reputation.
Actually such solution is available for corporate clients 55 so Morozov’s point is to
extend this option to individuals. In Morozov’s estimation this conception deserves attention
because it does not constitutes a threat to the freedom of expression as right to be forgotten
and gives victims of information tsunamis at least a semblance of proper compensation,
contrary to both civil law and EU proposals.
The biggest disadvantages of this option are facts that it would only provide
compensation for those who has already suffered large-scale reputation harm and has not any
preventive effect56. Contrary to the right to be forgotten it would be applicable only when the
damage has been already done but does not give any measure to avoid the information
tsunami.
Eric Schmidt, Google CEO, once told to press that in his estimation society does not
understand “what happens when everything is available, knowable and recorded by everyone
all the time”57 and therefore, not entirely seriously, he predicts that “every young person one
52
The Right to Be Forgotten - Between Expectations and Practice — ENISA, Report/Study, 11–12, accessed
March 21, 2014, http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/the-right-to-beforgotten.
53 Paul Alexander Bernal, “A Right to Delete?,” European Journal of Law and Technology 2, no. 2 (September
7, 2011): 13, http://ejlt.org//article/view/75.
54
Evgeny
Morozov,
“The
Information
Welfare
State,”
Slate,
February
20,
2012,
http://www.slate.com/articles/technology/future_tense/2012/02/_right_to_be_forgotten_how_facebook_google_
and_other_companies_can_protect_internet_user_privacy_.html.
55 Stephen Grocer, “AIG Debuts Reputation Insurance,” WSJ Blogs - Deal Journal, October 11, 2011,
http://blogs.wsj.com/deals/2011/10/11/aig-debuts-reputation-insurance/.
56 Shoor, “Narrowing the Right to Be Forgotten,” 516.
57 Holman W. Jenkins Jr, “Google and the Search for the Future,” Wall Street Journal, August 14, 2010, sec.
Opinion, http://online.wsj.com/news/articles/SB10001424052748704901104575423294099527212.
9
day will be entitled automatically to change his or her name on reaching adulthood in order to
disown youthful hijinks stored on their friends' social media sites”58.
This idea has been taken seriously and developed by Jonathan Zittrain. He finds
interconnections between massive profiling of our behaviour online and reputation systems
adopted by websites like Amazon or eBay that asks users to rate objects and users 59. In his
opinion search is central to functioning of the Internet and reputation becomes central to the
search. Therefore he foresees a “whole-person” reputation rating system 60 based on
construction that we already know from eBay or Amazon – as we rate objects, sellers and
buyers in future we could also rate all netizens. On the one hand it could help us make the
first cut on whom to meet, to date or to befriend61 but on the other – all information once left
online stays on the permanent record.
Such reputation market has been adopted by a social media platform Cyworld 62 .
Cyworld had twenty million subscribers who could rate interactions between each other (i.a.
friendliness, sexiness, karma, kindness, fame) and thus people interact aiming to maximise
kinds of behaviours that augment theirs ratings in the same way that websites try to reach
prominent positions in Google ranking.
Actually Facebook enables its users to use thousands applications that monitor most of
daily activities like training and condition, currently listened music or read books, visited
places, eaten food and many more. Supplementing this composition with another app that
aims to evaluate reputation would be nothing exceptional. With it or without it – social media
collects thousands of information about us so we should have an option called “reputation
bankruptcy”63. Like personal financial bankruptcy reputation one aims to give a new fresh
start; people should have a chance to de-emphasize or entirely delete older information that
has been accumulated in relation to their person. Just like seller on eBay who has too many
negative comments – instead of changing a name we could just erase our account with all
related information and sign up again.
What all of these concepts have in common is idea of protection from negative impact
of old information on Internet users’ present and future. Most of those concepts is preventive
58
Ibid.
Zittrain, “Reputation Bankruptcy.”
60 Meg Leta Ambrose, “It’s About Time: Privacy, Information Life Cycles, and the Right to Be Forgotten,”
Stanford Technology Law Review 16 (2013): 394.
61 Zittrain, “Reputation Bankruptcy.”
62 http://global.cyworld.com/; this portal has been closed on February 10th, 2014.
63 Zittrain, “Reputation Bankruptcy.”
59
10
and assumes right to have information erased. Authors do not pay much attention on
distinguishing between true and false information, defamatory, neutral or positive. The crux is
to have right to silence on past events in life that are no longer occurring64.
2. Current case-law
The following case law aims to illustrate how the effective legal means handle with
protection of individuals image and reputation. As the right to be forgotten in the Draft
Regulation would apply to all those situations, cited cases also set the scene for reflection how
this legal solution would help with current problems.
2.1.
Węgrzynowski and Smolczewski v. Poland65
Facts of the case concern an article published in 2000 by two journalists in the national
daily newspaper Rzeczpospolita about polish lawyers, W. and S. In this article claimants were
alleged of taking unjustified benefits from the way in which they had carried out their
professional roles as liquidators of State-owned companies in bankruptcy. The publication
clearly stated that those shady business involved politicians and over the years resulted in
accumulating enormous fortunes66.
W. and S. have brought an action for the protection of personal rights (Articles 23 and
24 of Kodeks cywilny) and succeeded. The sentence ordering journalists and editor-in-chief to
pay PLN 30,000 and to publish an apology in the newspaper entered in the force in 2003.
Next year W. and S. found out that not only did Rzeczpospolita publish the article in
the newspaper but also moved it to an online archive and the latter content remained
accessible on the RP’s website. What is more, after typing claimants’ surnames in Google this
article was positioned prominently in the search engine and therefore let a large number of
people interested in gathering knowledge about the lawyers read it. No mention about the
judgement was made in the text.
Consequently the lawyers pursued another claim based on the same provisions but this
time seeking to get injunction that forces the newspaper to put the publication down or at least
make an annotation about the previous ruling. Despite the fact that the protection granted in
the first judgement turned out to be illusory this claim did not succeed. The Warsaw Regional
Court pointed that such preventive censorship is incompatible with the freedom of speech
64
Giorgio Pino, “The Right to Personal Identity in Italian Private Law: Constitutional Interpretation and JudgeMade Rights,” in The Harmonization of Private Law in Europe, by Mark Van Hoecke (Oxford: Hart Publishing,
2000), 237, http://www.unipa.it/gpino/The%20right%20to%20personal%20identity.pdf.
65 Application No 33846/07, Merits and Just Satisfaction,16 July 2013, available online:
http://hudoc.echr.coe.int/sites/eng/pages/search.aspx?i=001-122365 [last access: April 27, 2014].
66 Dominic McGoldrick, “Developments in the Right to Be Forgotten,” Human Rights Law Review 13, no. 4
(December 1, 2013): 768–769.
11
guaranteed by Constitution. In the estimation of the Court of Appeal the fact that in the first
set of proceedings they did not make a specific request for remedial measures in respect of the
online publication it is impossible for the court in the present case to examine facts which had
already existed prior to that judgment. It is impossible for the plaintiffs to lodge a new claim
based on factual circumstances that had already existed during the previous proceedings,
especially that noticing existence of the online publication was not a fact which would have
been impossible to establish at that time67.
Both W. and S. wanted to pursue a claim before the ECtHR based on violation of
Article 8 of the ECHR68 (right to respect for their private life and reputation). Application of
the former has been considered inadmissible owing to failure in complying with procedural
issues. As for the merits of Smolczewski’s claim the Court held that that there has been no
violation of Article 8 ECHR.
In ECtHR’s estimation demanding newspaper to put an article down from its online
archive violates Article 10 ECHR (freedom of expression). It is not the role of judiciary to
rewrite history by ordering the removal from the Internet all traces of publications that have
been found to amount to unjustified attacks on individual reputation 69. However, ordering to
add an appropriate qualification to an article contained in an Internet archive, where it has
been brought to the notice of a newspaper that a libel action has been initiated in respect of
that same article published in the written press complies with aforementioned freedom 70. But
as claimants failed to fulfil procedural requirements as explained by Court of Appeal, ECtHR
cannot interfere.
ECtHR also noted differences between Internet and printed media. In obiter dicta the
Court explained that those two sources of information would never be subject to the same
regulation and control. “The risk of harm posed by content and communications on the
Internet to the exercise and enjoyment of human rights and freedoms, particularly the right to
respect for private life, is certainly higher than that posed by the press. Therefore, the policies
governing reproduction of material from the printed media and the Internet may differ. The
67
Węgrzynowski and Somolczewski, para. 16.
Article 8 sets forth: „1. Everyone has the right to respect for his private and family life, his home and his
correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in
accordance with the law and is necessary in a democratic society in the interests of national security, public
safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of
health or morals, or for the protection of the rights and freedoms of others.”
69 Węgrzynowski and Smolczewski, para 65.
70 Węgrzynowski and Smolczewski, para. 59.
68
12
latter undeniably have to be adjusted according to technology’s specific features in order to
secure the protection and promotion of the rights and freedoms concerned”71.
Concluding, legal measures did not grant sufficient protection to the privacy of
claimants. Only because they have noticed the online version of the article too late courts let
this content be available online forever. However, from the initiative of publisher the
defamatory material has been removed from the online archives of the newspaper.
2.2.
A.L. against Google Poland
In 2002 Piotr Pytlakowski published in Polityka article about criminal group where he
described a history of gangsters swindling money from businessmen 72 . One of those
businessmen was A.L. As he did not agree to pay ransom his café was burned and the
offenders threaten his family. A.L. decided to testify against the group and kept statements
despite further menaces. Proceedings against the criminals took several years and revealed lot
of pathologies of Polish criminal justice system and for all of this time his family was
threatened.
Recently A.L. found out that once he types his name in Google, the search engine
shows on the prominent position link to the Polityka’s online archive. Unfortunately,
algorithm of the search engine has chosen random words from the entire article that constitute
a sentence: “Case of the gangster well-known in Olsztyn proves… A.L. lessee of the firm…
demanded for so-called guard 3.000 PLN”.
According to A.L. such cluster of words leaves a person who searches information
about him with impression that he is the gangster. Doubts are difficult to dispel because full
access to the article is blocked and requires payment.
In 2012 A.L sent an email to Google in which he asks the service provider to delete
the description as is violates his personal rights. Google replied that they have got lots of such
alerts and they will react when they find time and if they consider this case as violation. For
two years the description has not been deleted.
In 2014 A.L. sued Google Poland before polish court for violation of personal rights in
context of the right to be forgotten 73 . According to the claimant his reputation has been
impaired and even some of the clients refused further cooperation because of this situation.
71
Węgrzynowski and Smolczewski, para. 58.
Piotr Pytlakowski, “Bardzo Biedny Gangster,” Polityka, no. 24 (June 15, 2002): 30–31.
73 Mariusz Jałoszewski, “Jak Google z Pogromcy Mafii Zrobił Gangstera.,” Gazeta Wyborcza, April 19, 2014,
http://wyborcza.pl/1,75478,15826544,Jak_Google_z_pogromcy_mafii_zrobil_gangstera__Zada.html.
72
13
He states that the search engine is responsible for what it finds and how it describes. A.L.
demanded blocking the description and 10.000 PLN compensation.
Google Poland disregards claims. In his lawyers’ estimation he could not be sued
because he is only engaged in marketing and advertising; for search services and servers
American Google form Mountain View is responsible.
The possible settlement is actually difficult to predict. Some Polish lawyers state that
Google Poland could be found liable under Article 422 Kodeks cywilny that provides liability
of helper. If we considered that Google Poland helped Google U.S. in publishing the
information then victim could claim damages for loss. The question at stake is whether this
provision constitutes liability for pecuniary or pecuniary and non-pecuniary harm. Polish civil
code provides numerus clausus of situations where a person could be sued for non-pecuniary
damage and none of them refer to Article 422. Consequently, there is no one obvious answer.
Another scenario refers to provisions of the bill about providing services in electronic
way 74 . Accordingly, entity is not liable for unlawful content until it was successfully
informed. The problem at stake is what if informing Google U.S. is constantly unsuccessful.
The case is still pending and as effectiveness of legal measures is in question A.L.
contacted Polityka. The latter agreed to erase some content from the website what resulted in
erasure of description in search engine. However, the applicant maintains the claim.
2.3.
Google Spain SL and Google Inc. against Agencia Española de Protección de
Datos (AEPD) and Mario Costeja González75
Facts of the case concern press publication of announcements concerning a real-estate
auction connected with attachment proceedings prompted by social security debts. Mario
Gonzalez was mentioned as the owner of the estate. Later this information has been moved to
an online archive of the newspaper. Eleven years after the proceedings M.G. found out that
Google links to this communicate when he puts his name in the search engine. Therefore
M.G. contacted publisher and pointed that attachment proceedings relating to his social
security debts had been concluded and resolved many years earlier and were now of no
relevance. In reply publisher stated that erasure of his data was not appropriate, given that the
publication was effected by order of the Ministry of Labour and Social Affairs.
Subsequently M.G. contacted Google Spain and asked them to make some changes in
the engine so as not to associate his name with the article. As in Polish case, Google Spain
74
Ustawa z dnia 18 lipca 2002 r. o świadczeniu usług drogą elektroniczną, Dz. U. z 2013 r. Nr 0, poz. 1422.
Judgement Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD), Mario
Costeja González, C‑ 131/12, ECLI:EU:C:2014:317.
75
14
found her irresponsible, however forwarded the request to Google US as they provide service
of searching.
In response M.G. lodged a complaint with the Agencia Espanola de Proteccion de
Datos asking to ordered the publisher to remove or rectify the publication so that his personal
data did not appear in engine. He also asserted that Google Spain or Google Inc. should be
required to remove or conceal his data so that they ceased to be included in the search results
and reveal links to the newspaper.
Director of AEPD in decision on 30 July 2010 upheld the claim against Google and
ordered them to take all the measures necessary to withdraw the data from their index and to
render future access to them impossible. Though, he rejected the complaint against the
publisher as publication of such information in press was justified.
Both Google Spain and Google Inc. have brought appeals before the court, seeking
annulment of the AEPD decision. Owing to Spanish court’s doubts as to application of
national law implementing Directive on data protection (hereinafter: the Directive),
preliminary ruling was made. First group of questions aims to establish whether proceedings
carried out by Google in the present case falls within the territorial scope of application of the
Directive. Second set concerns personal scope of application and refers to the term controller.
In particular Spanish court wonders whether data processed by search engine could be
classified as personal data and if yes – does proceedings of such data carried by search engine
fall within the scope of term ‘processing of personal data’. If answers to both following
question are positive then could Google be named controller. The last questions is whether
right to be forgotten could be inferred from right to erasure 76 and right to object 77 in
conjunction with right to privacy and right to data protection as established in Charter of
Fundamental Rights.
On June 25, 2013 Attorney General Niilo Jääskinen provided a comprehensive
opinion78 in which he argued that an internet search engine service provider is not a controller
of personal data on third-party source web pages and that the provisions of the Directive do
76
Article 12(b) Directive on data protection.
Article 14(b) Directive on data protection: Member States shall grant the data subject the right: to object, on
request and free of charge, to the processing of personal data relating to him which the controller anticipates
being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the
first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered
the right to object free of charge to such disclosures or uses.
78 Opinion Of Advocate General Jääskinen delivered on 25 June 2013, Case C‑ 131/12, Google Spain and
Google Inc., available at:
http://curia.europa.eu/juris/document/document.jsf?text=&docid=138782&pageIndex=0&doclang=EN&mode=l
st&dir=&occ=first&part=1&cid=130120 (last access: May 14, 2014).
77
15
not extend to the right to be forgotten. However, CJEU on judgement delivered on May 13,
2014 declared opposite.
Firstly, the Court upheld that data that is found, indexed and stored by search engines
and made available to their users when includes information relating to identified or
identifiable natural persons is a personal data 79 and added that activity carried by search
engine that consist of exploring internet in search of the information that later is collected,
indexed, stored and recorded and could be disclosed and made available to users in form of
list of search result is indeed processing of personal data80.
Second part of the judgement refers to scope of term controller81. Attorney General
argued that its definition shall not be interpreted literally because it distorts the crux. The
Directive introduced this term to establish who is responsible for complying with the rules
concerning data protection and to allocate this responsibility to the locus of the factual
influence 82 . As search engine operator is not aware of processing personal data then
consequently he cannot satisfy the obligations of controller provided by Directive 83. The
Court shall apply rule of reason, otherwise almost every Internet user could be classified as
controller. In fact this term aims to draw a line between the entirely passive and intermediary
functions of search engines and situations where their activity represents real control over the
personal data processed84. However, CJEU used a literal interpretation of Article 2(d) of the
Directive and held that activity carried by search engine controller classify him as
controller85.
Subsequently CJEU established that processing of personal data is carried out in the
context of the activities of an establishment of the controller on the territory86 of a Member
State when the operator of a search engine sets up in a Member State a branch or subsidiary
which is intended to promote and sell advertising space offered by that engine and which
orientates its activity towards the inhabitants of that Member State.
79
Google Spain and Google Inc., rec. 27.; Attorney General Opinion, rec. 70-71.
Google Spain and Google Inc. rec. 28; Attorney General Opinion, rec. 72.
81 Controller’ is ‘the natural or legal person, public authority, agency or any other body which alone or jointly
with others determines the purposes and means of the processing of personal data’.
82 Attorney General Opinion, rec. 88.
83 Ibid., rec. 89.
84 Ibid., rec. 85.
85 Google Spain and Google Inc., rec. 32-33.
86 Within the meaning given by Article 4(1)(a): processing of personal data is carried out in the context of the
activities of an establishment of the controller on the territory of a Member State, within the meaning of that
provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is
intended to promote and sell advertising space offered by that engine and which orientates its activity towards
the inhabitants of that Member State.
80
16
Finally, CJEU considered questions related to the right to be forgotten. As the
definition of the controller has been exceeded to operator of search engine proclaiming the
right was no longer necessary.
Since the operator is controller then all of the obligations imposed on controller bind
him. Therefore CJEU held that individual could address a request to the controller to have
links containing personal data erased on the grounds of Articles 12(b) and 14(a). The latter
constitutes right to oppose to proceedings provided that individual’s particular situation
justifies such request. The first one provides right to have information erased if it turns out to
be processed contrary to the Directive. The term contradiction should be regarded in
conjunction with Article 6 and 7 that constitute broad list of controller’s duties. Anytime
controller’s activity could be regarded contrary to the Directive’s provisions individual could
invoke right to erasure. Yet, it does not automatically mean that his right will be enforced.
What the Court did was situating disputes concerning right to be forgotten within the
framework of the Directive. It means that anytime dispute of this kind occurs proceedings
regulated in the aforementioned act applies. Namely, such situation would occur when, for
instance – as Article 6(e) stipulates – information is no longer necessary for the purposes in
which it has been gathered.
Requests could be addressed directly to controller who is obligated to duly examine
their merits and, as the case may be, end processing of the data in question. If controller does
not grant the request, the data subject may bring the matter before the supervisory authority or
the judicial authority so that it carries out the necessary checks and orders the controller to
take specific measures. Authority is obligated to balance right to privacy and right to data
protection of the claimant, economic rights of the service provider and he must do it with due
regard to rights of other people involved, e.g. right to be informed, freedom of expression, et
alia. Court specified that if authority considers erasure justified, he may order the operator of
the search engine to remove from the list of results displayed following a search made on the
basis of a person’s name links to web pages published by third parties containing information
relating to that person. Additionally, CJEU provided that it is irrelevant for the decisionmaking process whether claimant suffered loss and gave direction that sole economic interest
of the operator when collides with right to privacy shall not prevail.
This judgement solved one of the most urgent problems of Internet users who sought
remedy in case when search engine violated theirs personality rights. However, list of
controller’s obligations is so broad and vague that one could ask whether the Court
incidentally turned all of the search engine’s operators’ activities illegal. Finally, this ruling is
17
another example in the sequence where The Court of Justice of – European Union –
organisation established for purely economic reasons – grants priority to non-economical
purposes over the economic ones. In broader context this decision shows that EU makes
another step towards social integration.
3. Right to be forgotten and right to erasure in Commission’s draft regulation
The current EU Data Protection laws date from pre-Internet times. Despite the fact that
the number of telecommunicated information has grown between 1993 and 2012 from 1% to
97% the most important European directive covering this area comes from 1995 87 . The
forthcoming decade was named “Digital Universe Decade” as the number of digital
information reached between 2009-2020 is supposed to grow from 0.8 Zetabytes 88 to 35
Zetabytes 89 . Viviane Reding in her speech given on 22 January 2012 where the Draft
Proposal was presented pointed that personal data is the currency of today’s digital market
and as currency it needs stability and trust90.
One of the proposed measures thought to provide the stability and trust of personal
data in the universe of data is right to be forgotten. The following paragraph examines its
substance, material and personal scope, exceptions, remedies, liabilities and sanctions.
3.1.
The crux of the right to be forgotten
Natural person should have a right to be forgotten91. The core of this right is data
subject’s demand addressed to controller. The demand obligates the latter to erase personal
data relating to data subject and to guarantee abstention from further dissemination of such
data if one of the grounds described below applies92.
First ground sets forth that the data is no longer necessary for the purpose in which
they have been gathered. This provision materialise the essence of the right to be forgotten
which is to give individuals control over their personal data that has turned out to be
87
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, Official
Journal L 281 , 23/11/1995 P. 0031 – 0050.
88 1 Zettabyte = 1 trillion gigabytes
89 IDC, The Digital Universe Decade (2010), p. 2, available at: http://www.emc.com/collateral/analystreports/idc-digital-universe-are-you-ready.pdf [last acces: May 1, 2014].
90 Viviane Reding, The EU Data Protection Regulation Reform 2012: Making Europe the Standard Setter for
Modern Data Protection Rules in the Digital Age, [źródło, data], p. 2.
91 Recitals 53 and 54 Draft Regulation.
92 Article 17(1) Draft Regulation.
18
unimportant for the purpose it was initially used for93 and to protect them from remaining
such information collected or/and available online forever.
Secondly, right to be forgotten applies when there is no longer consent on processing
information. This situation takes place when data subject legally withdraws such consent or
when the storage period consented to has expired. This ground reflects that the construction of
processing data according to the Draft Regulation is based on framework for data subject’s
consent94 (Article 6(1)).
When processing information is not based on consent, but according to Article 6(1)(df) takes place in order to protect vital interest of data subject, is necessary for the performance
of a task carried out in the public interest or in the exercise of official authority vested in the
controller or for the purposes of the legitimate interests pursued by a controller and data
subject could object95 to those proceedings according to Article 19 Draft Regulation then he
could also enforce the right to be forgotten.
Finally data subject could invoke right to be forgotten on the grounds of legality, i.e.
when there is no other legal ground for the processing of the data or proceedings does not
comply with the Regulation.
What is more, if the controller that would be obliged to give effect to the right to be
forgotten has made the personal data public, it shall take all reasonable steps to inform third
parties which are processing the data, that a data subject requests them to erase any links to,
or copy or replication of that personal data96.
3.2.
Personal scope
According to Article 17 Draft Regulation a subject to the right to be forgotten is a data
subject 97 . Data subject is an identified natural person or a natural person who can be
identified, directly or indirectly, by means reasonably likely to be used by the controller or by
any other natural or legal person98.
93
Emily Shoor, Narrowing the Right to Be Forgotten: Why the European Union Needs to Amend the Proposed
Data Protection Regulation, SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, 20
january 2013), 501, available at: http://papers.ssrn.com/abstract=2410240 [last access: May 1, 2014].
94 Centre of Democracy and Technology, Analysis of the Proposed Data Protection Regulation, available at:
https://cdt.org/files/pdfs/CDT-DPR-analysis.pdf [last acccess: May 1, 2014], p. 3.
95 The right to object is broad and provides that data subject could object on grounds relating to their particular
situation at any time to the abovementioned processing unless the controller demonstrates compelling legitimate
grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
96 Article 17(2) Draft Regulation.
97 „The Right to Be Forgotten - Between Expectations and Practice — ENISA”, Report/Study, p. 6, available
at: http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten [last
access: May 1, 2014].
98 Article 4(1) Draft Regulation.
19
Data subject address his claims to controller who is described as s the natural or legal
person, public authority, agency or any other body which alone or jointly with others
determines the purposes, conditions and means of the processing of personal data99.
3.3.
Material scope
Right to be forgotten shall apply to personal data, i.e. any information relating to a
data subject100 that would be processed wholly or partly by automated means, and to the
processing other than by automated means of personal data which form part of a filing system
or are intended to form part of a filing system101,102.
3.4.
Territorial scope
The processing of personal data so as to fall within the ambit of right to be forgotten
must take place in the context of the activities of an establishment of a controller or a
processor 103 in the Union or conditionally outside the EU. In the latter case processing
activities shall be related to the offering of goods or services to such data subjects in the
Union or the monitoring their behaviour or in a place where the national law of a Member
State applies by virtue of public international law.104
3.5.
Exceptions
Right to be forgotten does not apply both in the areas where application of the Draft
Regulation is excluded105 or Article 17(3) provides exceptions.
Obviously, data subject would not be able to invoke right to be forgotten in the areas
exceeding scope of Union law and to proceedings arranged by the Union institutions, bodies,
offices and agencies. The right does not apply to Member States’ activities concerning
Common Foreign and Security Policy. General exclusion provides also personal (household)
exemption, i.e. regulation does not concern a natural person’s activity carried without any
gainful interest in the course of its own exclusively personal or household activity106. Finally,
right to be forgotten would not be appropriate measure to oppose activities conducted by
99
Article 4(5) Draft Regulation
Article 4(2) Draft Regulation.
101 Filing system means any structured set of personal data which are accessible according to specific criteria,
whether centralized, decentralized or dispersed on a functional or geographical basis (Article 4(4) Draft
Regulation).
102 Article 2(1) Draft Regulation.
103 Processor means a natural or legal person, public authority, agency or any other body which processes
personal data on behalf of the controller (Article 4(6) Draft Regulation).
104 Article 3 Draft Regulation.
105 Article 2(2) Draft Regulation.
106 See: Zuzanna Warso, “There’s More to It Than Data Protection – Fundamental Rights, Privacy and the
Personal/household Exemption in the Digital Age,” Computer Law & Security Review 29, no. 5 (October 2013):
491–500.
100
20
competent authorities for the purposes of prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal penalties107.
Article 17(3) supplements this list setting forth that controller shall not carry out the
erasure if retention of personal data falls within the ambit of restriction of processing of data
(Article 17(4)) or is necessary for exercising the right of freedom of expression; reasons of
public interest in the area of public health; historical, statistical and scientific research;
compliance with a legal obligation to retain the personal data by Union or Member State law
to which the controller is subject. What exactly does it mean will depend on Member States.
According to provisions allocated in Chapter IX – they are obligated to enact measures that
specify and clarify derogations and exceptions from right to be forgotten so as to make this
construction enforceable and consistent with freedom of expression.
Restriction of processing of data provided in Article 17(4) is an alternative for erasure.
This provision reflects principle of proportionality and allows controller to retain data, i.e.
keep them but not process for aims different than expressly stated108, when: their accuracy is
contested by the data subject, for a period enabling the controller to verify the accuracy of the
data; the controller no longer needs the personal data for the accomplishment of its task but
they have to be maintained for purposes of proof; the processing is unlawful and the data
subject opposes their erasure and requests the restriction of their use instead; the data subject
requests to transmit the personal data into another automated processing system in accordance
with Article 18(2) (i.e. is based on consent or contract).
3.6.
Remedies, liability and sanctions
Chapter VIII of the Draft Regulation stipulates measures that individual could invoke
should his rights referring to processing of personal data have been breached. Two main
propositions are right to lodge a complaint with a supervisory authority109 if data subject
considers that the processing of personal data relating to them does not comply with Draft
Regulation and right to judicial remedy against a decision of supervisory authority 110
concerning data subject or against controller or processor111 if they violates data subject’s
rights under Draft Regulation. Draft regulation also affirms tortious consequences causing
107
Article 2(2) Draft Regulation.
Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes
of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or
for an objective of public interest. (Article 17(5)).
109 Article 73 Draft Regulation.
110 Article 74 Draft Regulation.
111 Article 75 Draft Regulation.
108
21
damage to a data subject resulting from an unlawful processing operation or of an action
incompatible with General Data Protection Regulation112 - every such data subject shall have
the right to receive compensation from the controller or the processor.
Article 79 lays down administrative sanctions for breach of General Data Protection
Regulation’s provisions. As to right to be forgotten Article 79(5)(c) determinates that the
supervisory authority113 shall impose a fine up to 500 000 EUR, or in case of an enterprise up
to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently does not
comply with the right to be forgotten or to erasure.
3.7.
Conclusions
Right to be forgotten supplies current means adopted by Member States in order to
protect privacy and simplifies erasure of the data from the Internet and filling systems. To see
the differences between effective regulations and legal system after adoption of the Draft
Proposal it is necessary to divide personal data on several categories.
Within filling system
Published for journalistic
and artistic purposes
Personal data
Data published by data
subject about him
Posted online
Published in other
purposes
Data referring to data
subject published by
other people
3.7.1. Data within filling system
As to data collected within filling systems from data subject’s standpoint right to be
forgotten does not bring any significant change. Standard set by Directive on data protection
is maintained and bases on framework of consent. If the consent is withdrawn data controller
must erase information. Directive provides that Member State must establish sanctions for
unlawful proceedings of the data, so such behaviour is mostly criminalised.
112
Article 77 Draft Regulation.
Supervisory authority means a public authority which is established by a Member State that is responsible
for monitoring the application of this Regulation and for contributing to its consistent application throughout the
Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of
their personal data and to facilitate the free flow of personal data within the Union (Article 46 in conjunction
with Article 4(19)).
113
22
From data controller standpoint criminal sanctions enacted hitherto as implementation
of Directive on data protection are accompanied with administrative sanction i.e. fines up to
500.000 Euros or 1% of global income.
3.7.2. Data published by journalists or artists within the scope of guarantees of freedom
of speech and press
As case law described in point 2 presents actually erasure of press materials is very
difficult if not impossible. As ECtHR stated in Węgrzynowski case, demanding newspaper to
put an article down from its online archive violates Article 10 as courts should not be engaged
in rewriting history.
Article 80 of Draft Regulation transfers the obligation to balance freedom of
expression and right to be forgotten on Member States. Countries are obliged to adopt
exemptions and derogations to reconcile the right to the protection of personal data with the
right of freedom of expression114. It means that Europe will have 28 different regulations
clarifying when controller shall not carry out erasure for sake of protection of freedom of
expression. European Commission assumes that controllers from around the world shall know
them and distinguish unless they do not want to have penalties imposed.
Consequently we do not exactly know which impact right to be forgotten will have on
content published in the area protected by guarantees of freedom of expression. From
Member States’ perspective right to be forgotten is a right provided by secondary EU
legislation and contrary to freedom of speech – is not identified by number of national
constitutions.
Some of the national constitutional courts proclaim supremacy of constitution and
affirms theirs competence to control accordance of EU secondary law with constitution115. It
means that when right to be forgotten collides with freedom of expression the latter should
prevail and consequently right to be forgotten should never apply as resulting from norm
hierarchically lower. Such situation would be contrary to the principle of supremacy of EU
law but as example of Polish constitutional court shows proceedings of this kind are not
entirely legal-fiction scenario.
Therefore enactment of Draft Proposal might result not only in implementing new
bills but also amending constitutions.
3.7.3. Data posted by data subject about data subject
114
Draft Proposal, Explanatory memorandum, p. 15.
For example Polish Trybunał Konstytucyjny found himself empowered in such competence, see judgement
SK 45/09 from 16.11.2011.
115
23
Right to be forgotten does not bring any new standard in this instance. Our accounts
are created as a result of contract for indefinite duration between data subject and service
provider and therefore each party could terminate it at any time. If contract is terminated
service provider has no legal title to proceed data and since unlawful proceedings are
criminalised he should delete all information related to the subject. Right to be forgotten
supplies this construction with additional penalties.
3.7.4. Data posted about data subject by third parties
The most useful solution Draft Regulation provides as to erasure of personal data
posted by third parties. Civil law means make judicial intervention conditional on breach, loss
and causation. Right to be forgotten allows individual demanding erasure of irrelevant content
about them without proving any kind of damage and regardless of causation.
However, right to be forgotten shall not apply to natural person’s activity carried
without any gainful interest in the course of its own exclusively personal or household
activity. What is the real scope of household exception will depend upon controller’s
estimation because Draft Regulation does not provide any further clarification. It might at
some point undermine effectiveness of the right as most of irrelevant information online that
does not result from journalistic purposes takes place within the scope of aforementioned
activity.
3.7.5. Draft Regulation and Google Spain case
Right to be forgotten as proposed in Draft Regulation is thought to give individual
right to demand directly from the controller erasure of content and the request is binding to
the latter. According to Google Spain individual address request to the controller and when he
does not comply with it – the former could lodge a claim to judicial or supervisory authority
that is able oblige controller to erase personal data once he balances all of the interests
involved.
Draft Regulation also exceeds the material scope of application of the demand to
entire substratum of term personal data, as described above. According to Google Spain,
individual could address his request only to search engine controller and its merits concern
erasure of the personal data contained in a link displayed in the search engine’s result list.
3.8.
Summary
All of the theoretical concepts aim to give individuals right to have unimportant
information about them erased. The factor that turns relevant information into irrelevant is
time. Just like human brain forgets, law should provide a tool that force Internet to forget
either. Right to be forgotten as proposed by European Commission is conceptualisation of
24
those remarks but very particular and not entirely consistent with the idea. In my opinion this
proposal is a step in right direction, however it needs to be slightly amended.
The biggest advantage is that it gives individuals right to demand search engine to
erase links referring to them from search results. As current case law shows this is the most
urgent problem of Internet users and Draft proposal puts an end to it.
As to drawbacks, Draft Regulation contains lots of vague, ambiguous terms that will
be filled with meaning by controller. For instance – the main rationale of exercising of the
right: ‘information is no longer important’ – is really difficult to define. Right to be forgotten
is inspired by human brain that forgets information after some time. Research of academics
reveals that data posted online despite being always accessible is not immortal it sense that
interest in the content gradually drop and lifecycles of information could be estimated 116.
Draft Proposal does not provide any timeframe and therefore data subject could demand
erasure just after publication. This is contrary to the aim of this construction. Right to be
forgotten should not serve as an alternative for personal rights or defamatory claims solved
with omitting judiciary. Though, according to Draft Proposal it could be use in this way.
Leaving vague terms to controller’s discretion is risky as non-compliance whit request
is endangered by sanction, contrary to erasure. Once controller delete content as a result from
data subject’s demand he would not be held liable because all of the civil law and tortious
measures base on unlawful behaviour. Since he acts pursuant to Article 17(1) his acts are
always lawful.
4. Conclusion
Right to be forgotten derives from concepts aiming to protect privacy and identity and
has been conceptualised in 00s as a result of impact that information posted online have on
our image and social perception. The substance of this right is a demand that individual
addressed to controller which seeks to have personal data deleted when it is no longer
important. Yet, it is not the only construction that protects image online. Technology adopts
mechanisms that automatically erase information form devices; most websites enables its user
erasure of uploaded information manually and some of them as a result of setting expiration
date. Insurance companies offer entities reputation insurances that provide compensation of
harm caused by spread of old, negative information online.
116
For comprehensive analysis of this problem see: Ambrose, “It’s About Time: Privacy, Information Life
Cycles, and the Right to Be Forgotten.” and Meg Leta Ambrose, “A Digital Dark Age and the Right to Be
Forgotten,” Journal of Internet Law 17, no. 3 (September 2013): 1,9–20.
25
Europe is on her way to find new standard of protecting data in digital age. Draft
Regulation is a step in a right direction, however the right as proposed in Article 17 could be
improved. This construction manages with solving problems related to search engines but as
to press materials and household exception it remains very unclear.
Right to be forgotten is thought to constitute a serious threat to freedom of
expression117. European Commission washes her hands of clarifying relation between those
two and confers this obligation on Member States. Analysis of ECtHR case law and
constitutions’ provisions leads to conclusions that probably right to be forgotten will not
apply to journalistic content, at least not in short term.
In my opinion the most egregious problem for securing our identity and privacy online
in this decade is not implementation of new laws but enforcement of the effective ones. As
cases against Google’s daughter companies show it is not a problem lodge a claim against
corporation. The real problem is how to enforce order that makes this entity erase data when
we do not know where and whose the servers that collect our personal data are. And what is
the point of imposing million-euros-fines in case when most of company’s assets are outside
Europe. Therefore architects of new data protection standards should be very meticulous
about execution phase. Otherwise protection of privacy turns out to be illusion.
117
Steven Bennett, “The ‘Right to Be Forgotten’: Reconciling EU and US Perspectives,” Berkeley Journal of
International Law 30, no. 1 (April 1, 2012): 164.
26
BIBLIOGRAPHY
Ambrose, Meg Leta. “A Digital Dark Age and the Right to Be Forgotten.” Journal of Internet
Law 17, no. 3 (September 2013): 1,9–20.
———. “It’s About Time: Privacy, Information Life Cycles, and the Right to Be Forgotten.”
Stanford Technology Law Review 16 (2013): 369–422.
Ambrose, Meg Leta, and Jef Ausloos. “The Right to Be Forgotten Across the Pond.” Journal
of Information Policy 3 (2013): 1–23.
Ausloos, Jef. “The ‘Right to Be Forgotten’ - Worth Remembering?” Computer Law &
Security Review 28, no. 2 (2012): 143–52.
Bennett, Steven. “The ‘Right to Be Forgotten’: Reconciling EU and US Perspectives.”
Berkeley Journal of International Law 30, no. 1 (April 1, 2012): 161–95.
Bernal, Paul Alexander. “A Right to Delete?” European Journal of Law and Technology 2,
no. 2 (September 7, 2011). http://ejlt.org//article/view/75.
Callender, Craig. “Is Time an Illusion?” Scientific American, June 2010.
http://www.scientificamerican.com/article/is-time-an-illusion/.
Carter, Edward. “Argentina’s Right to Be Forgotten.” Emory International Law Review 27–
39, no. 1 (2013): 23–39.
Castellano, Pere Simón. “The Right to Be Forgotten Under European Law: a Constitutional
Debate.” Lex Electronica, no. 16.1. (January 2012).
https://papyrus.bib.umontreal.ca/xmlui/handle/1866/9296.
Chee, Foo Yun. “European Court Says Google Must Respect ‘Right to Be Forgotten’.”
Reuters. May 13, 2014. http://www.reuters.com/article/2014/05/13/us-eu-googledataprotection-idUSBREA4C07120140513.
De Hert, Paul, and Vagelis Papakonstantinou. “The Proposed Data Protection Regulation
Replacing Directive 95/46/EC: A Sound System for the Protection of Individuals.” Computer
Law & Security Review 28, no. 2 (April 2012): 130–42.
Fantechi, Alessandro, Christopher D. Nugent, Alessandro Pinzuti, Enrico Vicario, and
Tommaso Magherini. “An On-line System for Automated Recognition of Human Activities.”
European Journal of Law and Technology 4, no. 2 (August 12, 2013).
http://ejlt.org//article/view/189.
Fazlioglu, Muge. “Forget Me Not: The Clash of the Right to Be Forgotten and Freedom of
Expression on the Internet.” International Data Privacy Law, May 27, 2013, ipt010.
doi:10.1093/idpl/ipt010.
Gomes de Andrade, Norberto Nuno. “Oblivion: The Right to Be Different … from Oneself.
Reproposing the Right to Be Forgotten.” IDP. Revista de Internet, Derecho y Política 0, no.
13 (March 15, 2012): 122–37. doi:10.7238/idp.v0i13.1375.
Grocer, Stephen. “AIG Debuts Reputation Insurance.” WSJ Blogs - Deal Journal, October 11,
2011. http://blogs.wsj.com/deals/2011/10/11/aig-debuts-reputation-insurance/.
Hauch, Jeanne. “Protecting Private Fact in France: The Warren & Brandeis Tort Is Alive and
Well and Flourishing in Paris.” Tulane Law Review, no. 68 (1994 1993).
Jałoszewski, Mariusz. “Jak Google z Pogromcy Mafii Zrobił Gangstera.” Gazeta Wyborcza,
April 19, 2014.
http://wyborcza.pl/1,75478,15826544,Jak_Google_z_pogromcy_mafii_zrobil_gangstera__Za
da.html.
Jr, Holman W. Jenkins. “Google and the Search for the Future.” Wall Street Journal, August
14, 2010, sec. Opinion.
http://online.wsj.com/news/articles/SB10001424052748704901104575423294099527212.
Lagone, Laura. The Right to Be Forgotten: A Comparative Analysis. SSRN Scholarly Paper.
27
Rochester, NY: Social Science Research Network, December 7, 2012.
http://papers.ssrn.com/abstract=2229361.
Markoff, John. “New Technology to Make Digital Data Self-Destruct.” The New York Times,
July 21, 2009, sec. Science. http://www.nytimes.com/2009/07/21/science/21crypto.html.
Mayer-Schönberger, Viktor. Delete: The Virtue of Forgetting in the Digital Age. Princeton
N.J.: Princeton University Press, 2011.
———. “Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing.” Harvard
University, John F. Kennedy School of Government, Working Paper Series, 1/2007, 2007.
McGoldrick, Dominic. “Developments in the Right to Be Forgotten.” Human Rights Law
Review 13, no. 4 (December 1, 2013): 761–76.
Mitrou, Lilian, and Maria Karyda. EU’s Data Protection Reform and the Right to Be
Forgotten: A Legal Response to a Technological Challenge? SSRN Scholarly Paper.
Rochester, NY: Social Science Research Network, February 5, 2012.
http://papers.ssrn.com/abstract=2165245.
Morozov, Evgeny. “The Information Welfare State.” Slate, February 20, 2012.
http://www.slate.com/articles/technology/future_tense/2012/02/_right_to_be_forgotten_how_
facebook_google_and_other_companies_can_protect_internet_user_privacy_.html.
Pino, Giorgio. “The Right to Personal Identity in Italian Private Law: Constitutional
Interpretation and Judge-Made Rights.” In The Harmonization of Private Law in Europe, by
Mark Van Hoecke, 225–37. Oxford: Hart Publishing, 2000.
http://www.unipa.it/gpino/The%20right%20to%20personal%20identity.pdf.
Pytlakowski, Piotr. “Bardzo Biedny Gangster.” Polityka, no. 24 (June 15, 2002): 30–31.
Rosen, Jeffrey. “Free Speech, Privacy, and the Web That Never Forgets.” Journal on
Telecommunications & High Technology Law 9, no. 2 (Spring 2011): 345.
———. “The Deciders: The Future of Privacy and Free Speech in the Age of Facebook and
Google.” Fordham Law Review 80, no. 4 (March 19, 2012): 1525–38.
Schooler, Lael J, and Ralph Hertwig. “How Forgetting Aids Heuristic Inference.”
Psychological Review 112, no. 3 (July 2005): 610–28.
Shoor, Emily. “Narrowing the Right to Be Forgotten: Why the European Union Needs to
Amend the Proposed Data Protection Regulation.” Brooklyn Journal of the International Law
39, no. 1 (2014): 487–519.
The Right to Be Forgotten - Between Expectations and Practice — ENISA. Report/Study.
Accessed March 21, 2014. http://www.enisa.europa.eu/activities/identity-andtrust/library/deliverables/the-right-to-be-forgotten.
Walker, Robert Kirk. “The Right to Be Forgotten.” Hastings Law Journal, no. 64 (November
20, 2012). http://papers.ssrn.com/abstract=2017967.
Warso, Zuzanna. “There’s More to It Than Data Protection – Fundamental Rights, Privacy
and the Personal/household Exemption in the Digital Age.” Computer Law & Security Review
29, no. 5 (October 2013): 491–500.
Wixted, John T. “The Psychology and Neuroscience of Forgetting.” Annual Review of
Psychology 55, no. 1 (2004): 235–69.
Xanthoulis, Napoleon. “Right to Oblivion in the Information Age: a Human-rights Based
Approach.” US-China Law Review, no. 10 (2013): 84–98.
Zittrain, Jonathan. “Reputation Bankruptcy :: Future of the Internet – And How to Stop It.”
Accessed May 9, 2014.
http://blogs.law.harvard.edu/futureoftheinternet/2010/09/07/reputation-bankruptcy/.
28