In the last couple of years, people have become more aware of the risks associated with placing their personal data online. Once something is published on the Internet, it tends to remain there forever and it is often accessible to the general public. This can have serious consequences. The use of information published on social media as evidence in court proceedings, in particular in the context of dismissal of employees, is only one example. False rumours and accusations spread on the Internet may seriously harm a person's reputation. Likewise, old reports about someone's (alleged) wrongdoing in the past that are still retrievable through search engines, can make people's lives very difficult.
As a result of this, the "forget me requests" are accumulating with search engines such as Google, and a clear-cut "right to be forgotten" is becoming more important than ever. This article discusses the current legal framework in the EU and Belgium, the important EU court-ruling of 13 May 2014 (C-131/12, Google Spain & Google Inc. v. González) and the new Data Protection Regulation (which will enter into effect in May 2018), with respect to the right to be forgotten.
Current legal framework in the EU and Belgium
The right to be forgotten finds its basis in the right to privacy and the protection of personal data that every natural person is entitled to pursuant to European and national law. The European Convention on Human Rights ("ECHR") grants every person a right to respect private and family life (Article 8 ECHR). Article 7 of the Charter of Fundamental Rights of the European Union also provides for this right, as well as a right to protect personal data (Article 8 of the Charter). In Belgium, the Act of 8 December 1992 on the protection of privacy with regard to the processing of personal data (the "Privacy Act") guarantees the protection of personal data.
The Belgian Privacy Act has implemented the European Data Protection Directive of 1995, Article 12(b) of which provides that Member States are to guarantee every data subject the right to obtain from the data controller the rectification, erasure or blocking of data that is in particular incomplete or inaccurate. Article 1 §2 of the Privacy Act, defines "processing" as "any operation or set of operations, which is performed on personal data, whether or not by automatic means, such as (…) the blocking, erasure or destruction of personal data". In addition, Article 12 §1 of the Privacy Act provides for a specific provision granting the data subject the right to request a rectification of any incorrect data related to him, free of charge.
It is apparent that the aforementioned provisions do not grant a clear-cut right to be forgotten. Although such right may be implicitly included in the right of rectification and deletion of incomplete or incorrect data, it has long been unclear under which circumstances an individual could request that information about him or her be blocked or removed, in particular if the information in question was not inaccurate.
EU-court ruling of 13 May 2014: concrete meaning of the right to be forgotten
With a view to sort out the remaining uncertainties with respect to the right to be forgotten, a preliminary ruling was requested from the European Court of Justice (ECJ) by a Spanish court. The request was related to a complaint of a Spanish Citizen, González, who lodged a complaint against a Spanish newspaper and against Google Spain and Google Inc. The complaint was based on the fact that, when an Internet user entered the plaintiff's name in the search engine of Google, links to articles of a Spanish newspaper appeared regarding an announcement mentioning the plaintiff's name for a real estate auction connected with attachment proceedings. Given the fact that these proceedings had been fully resolved for a number of years already, the plaintiff claimed that this reference was completely irrelevant and therefore had to be removed.
The Spanish court requested the ECJ, apart from a question regarding the territorial application of the EU Data Protection Directive, whether an individual has the right to request that his or her personal data be removed from accessibility via a search engine (i.e. the right to be forgotten).
In its judgment of 13 May 2014, the ECJ specifically held that search engines are to be considered data controllers, and as such cannot escape their responsibility under EU data protection laws when handling data of European citizens. With respect to the right to be forgotten, the court further specified that individuals have the right, under certain conditions, to request search engines to remove links with personal information about them. This applies in particular where the information is "inadequate, irrelevant or no longer relevant, or excessive in relation to [the processing] purposes and in the light of the time that has elapsed" (paragraph 93 of the ruling). However, a case-by-case assessment remains necessary. On the other hand, the ECJ held that the interference with the data subject's fundamental rights may be justified if the data subject plays a particular role in public life.
In addition to this EU-court ruling, the Belgian Supreme Court ("Hof van Cassatie") ruled on 12 May 2016 that the right to be forgotten also extends to the electronical archives of newspapers. The Supreme Court explicitly ruled that "the right to be digitally forgotten is an intrinsic part of the right to respect the private and family life, and may, as such, justify restrictions on the right to freedom of expression".
The new Data Protection Regulation: towards an explicit right to be forgotten and a tougher regime for the data controller
The new EU Data Protection Regulation (the "Regulation"), which will enter into effect in May 2018, has now explicitly recognized the right to be forgotten, both with respect to its territorial scope and its material scope. More in particular, the burden of proof has now been reversed, which makes the right to be forgotten more effective and meaningful for individuals. As a result, the controller now has to prove that the data cannot be erased because it is still relevant.
Territorial scope – Article 3 of the Regulation
The Regulation takes away all doubts with respect to the territorial applicability of the Regulation with respect to non-EU companies. Article 3 of the Regulation clearly provides that the Regulation applies to the processing of personal data, "regardless of whether the processing takes place in the EU or not".
Material scope – Article 17 of the Regulation
The new Article 17 has been divided into three paragraphs, thereby striking a more correct balance between the rights of the data subject on the one hand, and the rights of the data controller on the other hand.
Pursuant to Article 17 (1) of the Regulation, the individual who wishes to have certain data erased can now request this erasure in certain situations, such as when the personal data is no longer necessary, if the data subject withdraws his or her consent (and where there are no other legal grounds for the processing), if the data subject objects to the processing, or if the personal data have to be erased in order to comply with a legal obligation in the EU or a Member State law to which the controller is subject. Article 17 (2) of the Regulation includes an obligation for a controller, who has made the personal data public and who is required to erase this personal data, to take "reasonable steps" to inform controllers which are processing the personal data that the data subject has requested the erasure of any links to his personal data. In fact, the European Parliament wanted to go even further by adding an obligation for the controller to ensure an erasure of these data. However, this obligation has eventually not been included in the Regulation. Finally, Article 17 (3) clearly specifies in which cases paragraphs (1) and (2) do not apply, in particular when exercising the right of freedom of expression and information, for reasons of public interest in the area of public health, or for the establishment, exercise or defence of legal claims.
Increased powers of data protection authorities
The Regulation also provides for increased powers of the national data protection authorities to enforce the provisions of the Regulation against data controllers and processors. Data protection authorities may, for instance, impose fines of up to 20.000.000,00 EUR or 4% of the annual worldwide turnover of the preceding financial year, whichever is higher, or order any other measures to be taken by the data controller or processor. As a result, data controllers and processors will be required to duly respond to all requests related to the right to be forgotten.
The new Data Protection Regulation has finally adopted a straightforward and meaningful right to be forgotten, whereby it overcomes the rather unclear and implicit principle that was incorporated in the earlier Data Protection Directive of 1995. Undoubtedly, this can be partly ascribed to the court ruling of 13 May 2014 which clearly established a basic right to be forgotten, and thus definitely had an impact on the urgent adoption of the right to be forgotten in the Regulation. In this respect, the European Commission clearly kept in mind the balance that had to be struck between the adequate protection of personal data and the related fundamental rights of the data subject on the one hand, and the freedom of expression and media on the other hand, when drafting the text of Article 17. In addition, the increased enforcement powers of the national data protection authorities may prove helpful in guaranteeing compliance with the new data protection rules.