Ketevan Kukava, PhD Student in Law, Tbilisi State University

In today’s digital world, where information is readily stored and accessed, managing one’s personal data is a complex challenge. Completely removing data from digital platforms, especially once it’s publicly accessible, is technologically and practically difficult. The lasting impact of past actions, preserved online indefinitely, raises concerns in the present.

The internet and digitization, while offering unparalleled access to information and content creation tools, present a significant drawback: the loss of control over personal data and the right to be forgotten. As Viktor Mayer-Schoenberger argues in his book “Delete: The Virtue of Forgetting in the Digital Age,” technological advancements have flipped the historical norm, making remembering the default and forgetting the exception.

This has ignited a debate over balancing privacy and freedom of expression online. Some contend that removing legally published information from search results resembles Orwellian censorship. However, the individual’s right to manage their online data, move on from the past, and control their digital footprint cannot be ignored.

The General Data Protection Regulation (GDPR), implemented on May 25, 2018, aims to address the privacy challenges of the digital age. Building upon Directive 95/46/EC, the GDPR standardizes data protection rules across the European Union, offering enhanced safeguards. Most notably, it includes a clearer “right to erasure” (also known as the “right to be forgotten”), a topic of significant discussion and controversy. This right enables individuals to request the deletion of their data if there’s no valid reason for it to be retained.

Although the right to be forgotten wasn’t explicitly mentioned in Directive 95/46/EC, the landmark Google Spain case established a precedent. The Court of Justice of the European Union interpreted the directive’s provisions to support the plaintiff’s claim. Citing the data subject’s right to access and rectify their data, the Court mandated search engines to delist links containing personal information from search results.

Under Article 17 of the GDPR, the right to erasure empowers individuals to request the deletion of their personal data without undue delay, placing the responsibility on the data controller to comply. This applies in specific situations, such as withdrawal of consent or lack of legitimate grounds for data processing.

One basis for data erasure is the individual’s objection to the processing of their data if no compelling justification for processing exists (Article 17(1)(c)). Unlike the Data Protection Directive, the GDPR shifts the burden of proof to the data controller, requiring them to demonstrate legitimate grounds for continued processing that outweigh the individual’s rights and freedoms.

Article 17 holds the data controller, the entity deciding how and why personal data is processed, responsible for ensuring data erasure. When data is public, controllers must make reasonable efforts, using available technology, to inform other entities processing the data of the erasure request, including removal of links, copies, and replicas (Article 17(2)). Exceptions to this rule are outlined, including instances where processing is necessary for freedom of expression, archiving, research, or statistical purposes (Article 17(3)).

Despite efforts to empower individuals with control over their data, the nature of the internet and rapidly evolving technology create legal and practical hurdles to implementing the right to be forgotten. The Google Spain case highlighted the ease with which online information can be replicated and the challenge of enforcing EU regulations on entities outside its jurisdiction. Once data is public, controlling its spread and ensuring complete erasure becomes incredibly difficult. Furthermore, the case exemplified the “Streisand effect,” where attempts to suppress information inadvertently increase its visibility.

The practical difficulties of complete data erasure are acknowledged in the GDPR’s emphasis on taking reasonable steps. It requires controllers to inform all recipients of the data about the erasure request unless deemed impossible or requiring excessive effort (Article 19).

The territorial scope of the GDPR and its application to companies operating outside the EU presents further challenges in enforcing the right to be forgotten. Similar to its predecessor, the GDPR applies to data processing within the EU by a controller established in the Union, regardless of where the processing occurs (Article 3(1)). Establishment, as defined by Recital 22, involves conducting genuine economic activity through stable arrangements, regardless of legal structure (branch, subsidiary, etc.).

The GDPR extends its reach to companies outside the EU if they process personal data of individuals within the Union by offering them goods or services or monitoring their behavior within the EU (Article 3(2)). This underscores the broad extraterritorial scope of the GDPR, obligating companies outside the EU to comply with its data protection regulations.

This expansive reach, coupled with significant administrative penalties for violations (Article 83), has drawn criticism for its perceived strictness. However, it’s crucial to acknowledge the necessity of adapting legal frameworks to address modern privacy concerns, ensuring safeguards keep pace with technological advancements.

Proportionality, as emphasized by the GDPR, plays a key role. Recital 4 clarifies that the right to data protection is not absolute and must be weighed against its societal function and other fundamental rights. Article 85 allows exemptions for data processing for journalistic, academic, artistic, or literary purposes if deemed necessary to balance data protection with freedom of expression.

The question of global implementation of the right to be forgotten, particularly in the context of the Google Spain ruling, remains a point of contention. Google responded to delisting requests by removing links from all European versions of its search engine and using geolocation to restrict access to the delisted content from the requestor’s country. However, the French data protection authority insisted on applying the right to be forgotten globally across all Google domains. This issue raises the question of whether delisting requests should have global implications, potentially conflicting with other jurisdictions’ regulations and impacting the open exchange of information.

While the GDPR’s right to erasure may not offer a definitive solution to all privacy challenges in the digital age, its focus on individual control over personal data holds immense value. As we navigate the complexities of online privacy and the practical realities of implementing these regulations, we must ask ourselves: can we achieve genuine online privacy, and what compromises are we willing to make? These questions are increasingly important and require us to carefully consider the nature and challenges of the internet age.

Photo credit: PR Week