By Evi Tsakali,
They say that the internet never forgets. Nowadays, in the EU at least, this may no longer be true…
The General Data Protection Regulation (GDPR) which came into force in 2018 has established, among other things, the right to be forgotten, also known as the right to erasure. This right had received a lot of attention from the media after the 2014 judgement from the EU Court of Justice, which set the legal precedent for the provision of such a right in the GDPR.
What does it mean, having the right to be forgotten?
According to article 17 of the GDPR “the data subject shall have the right to obtain from the controller the erasure of personal data without undue delay”. “Undue delay” is considered to be about a month. It must also be verified that the person requesting erasure is actually the data subject. The classical conception of rights is grounded in the physical ownership of self: speech, religion, association, liberty and, more controversially, privacy. It was imagined in the context of a physical world, where what happens to us actually happens to us and is, consequently, subject to some effective level of state control. In the era when -besides our physical footprint- we also leave a digital footprint, this provision came to fulfill that need.
The ECJ 2014 trial: the history of the right to be forgotten
In 2014, the Spanish judiciary ruled in favor of the right to be forgotten in the lawsuit between Google Spain SL and Google Inc vs. Agencia Española de Protecciόn de Datos, Mario Costeja González. The case revolved around a newspaper announcement in La Vanguardia for Costeja’s forced property sale required to settle social security debt in 1998. In 2009, Costeja contacted the newspapers because searching for his name brought up the old announcement. The newspaper denied the request since it was a government ordered publication. Costeja then contacted Google Spain to remove the search result.
The case was brought to the European Court of Justice, which ruled that Google needed to remove the search results, but that the newspaper did not have to remove the original article. Today, if we are in a jurisdiction where the right to be forgotten or similar laws exist we can submit a Data Subject Access Request (DSAR) to remove or request what personal data about us a company has stored.
When do we have a right to a DSAR?
There are specific cases when we have the right to a DSAR:
- When data exists on the internet that is old, outdated or not currently relevant.
- When the data subject decides that the data controller no longer has rights to access their data and the said data is not in the public domain.
- When someone stole or changed the data.
- When a judge or other judicial body ruled this data to be deleted.
There are some exceptions though: the data that should be available because of freedom of information or expression, the data that is part of an active or relevant legal proceeding, the data that is of importance to public health and the data that should be archived for public interest because it is significant to scientific or historical research.
- Everything you need to know about the “right to be forgotten”, GDPR official website. Available here.
- The ECJ’s 2014 decision from ECJ’s website. Available here.