Authors: Artemi Rallo and Jorge Viguri
- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
1.Introduction
The threats that technological developments pose for the protection and guarantee of fundamental rights are countless, but none of these challenges aroused such an intense debate as the one generated by the unexpected decision of the CJEU in Google Spain.[1] It resolved a long dispute related to the liability of search engines, the applicability of data protection laws and the citizens’ rights. However, the CJEU judgment is not the original cause, but it played a critical role in recovering the heading “right to be forgotten” in Art. 17 GDPR finally adopted on 27 April 2016. The final content of this right has not dispelled all criticism raised by the Comm-P. The right to be forgotten is more clearly included within the right to erasure, since it contains a much broader right than the one addressed by the CJEU’s judgment. In fact, while the Comm-P seemed to hint at two different rights in its heading (“right to be forgotten and to erasure”), the final wording adopts a heading, which undoubtedly includes the right to be forgotten within the right to erasure, without distinguishing between them (“right to erasure” and “right to be forgotten”).
2.Legislative background
a)Initial discussions on the right to be forgotten (2010–2012)
In 2009, the Comm launched a review on the effectiveness of the applicable legal framework in order to ensure a high level of protection in the field of personal data protection. Nothing in the initial public debate on the reform of European data protection laws suggested that the right to be forgotten would be adopted. The Art. 29 WP, though acknowledging the right to erasure, did not mention the ‘right to be forgotten’ in its 2009 joint contribution ‘The Future of Privacy’.[2]
In its 2010 Communication “A comprehensive approach on personal data protection in the European Union”, the Comm made explicit reference to the “right to be forgotten”.[3] The main purpose of this reference was to strengthen individuals’ rights and effective control over personal data. To this end, the Comm studied the means and legal reforms necessary to enhance such a control in the online world; it addressed the ‘right to be forgotten’ as “the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes”.[4] The above Communication demonstrates how the notion of this right, whose exercise appears inextricably linked to the online environment (especially, social networks), was then gradually taking shape.
However, the EDPS, in its Opinion on the Comm’s Communication, highlighted the connection between the right to data portability and the right to be forgotten: “Data portability and the right to be forgotten are two connected concepts put forward by the Communication to strengthen data subjects’ rights (…) They are complementary to the principles already mentioned in the Directive, providing for a right for the data subject to object to the further processing of his/her personal data, and an obligation for the data controller to delete information as soon as it is no longer necessary for the purpose of the processing (…)”..[5] In the EDPS’ view, these new rights could help shift the balance in favour of citizens’ rights. Data subjects would have more control over their personal information and information would automatically disappear after a certain period of time, even if the user did not take any action or was not aware of the data storage. It was certainly a bold approach aimed at giving unambiguous content to the right to be forgotten, i.e., the deletion of data after an “expiration date” as already provided for in specific national sectors, such as court records or police and disciplinary files. Mayer-Schönberger already in 2009 explained the advantages of expiration dates: 1) they utilize already-existing technology; 2) legally, they reintroduce into the digital world forgetting by default, which is familiar and inherent, without establishing new rights or institutions; 3) they are a modest combination of legal and software mechanisms regulating human behaviour; 4) they are politically less controversial; 5) and they are intuitive for users.[6] Although the Comm received many comments, few of them referred to the “right to be forgotten”.
The above Communication of the Comm raised great expectations, but also concerns about the potential scope of the “right to be forgotten”. The EP Resolution on the Comm’s Communication underlined the importance of “clarifying in detail and codifying the ‘right to be forgotten’”.[7] ‘Feasibility’ and ‘legal status’ were the two key questions raising uncertainties on whether the right to be forgotten on the Internet could be effectively regulated and guaranteed.
[…]
[1]Judgment of the Court (Grand Chamber), 13 May 2014, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González.
[2]Art. 29 WP, ‘The Future of Privacy. Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data’ (02356/09/EN; WP 168; adopted on 1 December 2009), p. 18 (fn. 27).
[3]Comm, ‘Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions – A comprehensive approach on personal data protection in the European Union’ (COM(2010) 609 final, Brussels, 4 November 2010).
[4]Ibid, p. 8 (“The Commission will (…) examine ways of (…) clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person’s consent and when he or she withdraws consent or when the storage period has expired (…)”).
[5]EDPS, ‘Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions – “A comprehensive approach on personal data protection in the European Union”’ (OJ C 181/01, 22.6.2011, p. 1), p. 18.
[6] Mayer-Schönberger, Delete: The Virtue of Forgetting in the Digital Age (Princeton University Press 2009), pp. 188–192.
[7]EP, ‘European Parliament resolution of 6 July 2011 on a comprehensive approach on personal data protection in the European Union (2011/2025(INI))’ (Wednesday 6 July 2011; Personal data protection in the European Union; P7_TA(2011)0323; 2013/C 33 E/10), para. 16 (see also fn. 9: “There must be clear and precise identification of all the relevant elements underpinning this right”).