The General Data Protection Regulations (GDPR) are privacy laws, drafted and passed by the European Union (EU) and they form the core of Europe’s digital privacy legislation. The regulations came into effect on the 25th of May 2018.
The General Data Protection Regulations (GDPR) impose obligations to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. This ultimately means that almost every major corporation in the world requires a GDPR compliance strategy.
The Data Protection Act of 2019 is Kenya’s primary legislation on the issue of Data Privacy and Protection.
The Right to be Forgotten.
Under Article 17 of the GDPR, individuals have the right to have personal data concerning them erased without undue delay and the data controller shall have the obligation to erase personal data without undue delay. This is also referred to as the ‘right to be forgotten’. However, this right is not absolute and only applies in certain circumstances.
Article 17 of the GDPR, provides the grounds on which an individual may have the right to have their personal data erased. Some include:
1. Circumstances where the personal data is no longer necessary for the purpose for which it was originally collected or processed for.
2. In compliance with a legal obligation.
3. Circumstances where the data was collected and processed unlawfully.
Section 40 of the Data Protection Act of 2019 highlights the right of a data subject to request a data controller or data processor to erase or destroy without undue delay personal data that the data controller or data processor is no longer authorized to retain, irrelevant, excessive or obtained unlawfully.
Section 40 of the Data Protection Act of 2019 also states that where a data controller shares the personal data with a third party for processing purposes, the data controller or data processor shall take all reasonable steps to inform third parties processing such data, that the data subject has requested the erasure or destruction of such personal data.
The Landmark Case of Google Spain v Costeja Gonzalez (2014).
The case of Google Spain v. Costeja Gonzalez decided before the Court of Justice of the European Union, is a landmark case for Digital Rights, specifically the Right to be Forgotten.
The ruling was delivered on 13th May 2014.
In 2010, Mario Costeja González, a Spanish national, lodged a complaint against Google Spain and Google Inc., requesting the court to order Google to remove or conceal the personal data relating to him, so that the data no longer appeared in the search results, emanating from their search engines.
The Court of Justice of the European Union, highlighted the following Legal Issues, in the above-mentioned ruling:
- Google are controllers of personal data due to their Search engines and therefore Google cannot escape its responsibilities in handling personal data, that stem from the General Data Protection Regulations (GDPR).
- Google is subject to EU Data Protection Law on the basis that EU data protection law applied, because Google had a branch or a subsidiary in a Member State (Google Spain), which promoted the selling of advertising space offered by Google.
- Google being a controller of personal data and subject to EU data protection law, they have an obligation to fulfill the requirements of the law, including granting the request to remove links of particular search results because they appear to be irrelevant or are no longer relevant.
However, in September 2019, the Court of Justice of the European Union, limited the reach of the landmark online privacy law, known as “right to be forgotten”.
The European Court of Justice ruled that the privacy rule cannot be applied outside the European Union. The court stated that there was no obligation under EU law, for a search engine operator (Google) who grants a request for de-referencing made by a data subject… to carry out such a de-referencing request on all the versions of its search engine, especially those versions in other territories.
The European Court of Justice also issued a related second ruling, which said that links do not automatically have to be removed just because they contain information about a person’s sex life or a criminal conviction.
Instead, the court ruled that such listings could be kept where “strictly necessary” for people’s freedom of information rights to be preserved. However, it indicated a high threshold should be applied and that such results should fall down search result listings, over time.
The recent rulings mentioned above, define the scope of the right to be forgotten, more carefully.
Arguments against the Right to be Forgotten.
- The rising Censorship regime: Critics have raised concerns that Authoritarian governments can misuse the Right to be Forgotten to exert control over publicly available information and can force takedowns of published information, that they seek to hide from the general public, due to nefarious purposes.
- Conflict with the Freedom of Expression and Right to Access to Information: The restriction on internet user’s ability to access publicly available information can undermine guaranteed rights to Freedom of expression and access to information. Those against the enforcement of the Right to be Forgotten, argue that Data Regulators should not be allowed to decide what internet users around the world find, when they use a search engine.
In Closing.
Judicial courts must limit the scope of the right to be forgotten in order to protect the right of internet users around the world, to access information online and to express themselves. They must be careful not to set a global precedent for censorship.
The courts must ensure that the right to privacy and the right to freedom of expression and information, are balanced when deciding whether websites should be de-listed, in exercise of the right to erasure.
