The right to be forgotten has been recognized as a fundamental right by national courts before the upcoming of the digital era, as exemplified by the Italian Supreme Court’s Decision no. 3769 of the 22nd of June 1985.
However, as for many constitutional rights in particular freedom of expression – the scope of the droit à l’oubli has remarkably extended during the shift from the world of atoms to the world of bits. The acceleration of data-flows – as consequence of the emergence of Internet Service Providers and Social Networking – has diminished the individual’s certainties with regard to the dissemination of personal data and has deeply influenced the users’ privacy.
Additionally, as a result of the Internet of things (i.e. the ability of everyday objects to connect to internet and to send and receive data), granting data subjects means to pursue a higher degree of control over personal information has become a primary concern for EU law.
In this scenario the right to be forgotten has been recognized as a primary tool for data subjects to control the dissemination of their personal information on the internet.
Hence, the necessity to critically assess how EU law responded to an increasing demand in the field of data protection with a particular outlook to the much-awaited codification of the right to be forgotten. Consequently, this paper will focus on the three fundamental topics:
I. The first attempt to regulate data protection, i.e. Directive 95/46/EC
II. The judicial recognition of the right to be forgotten in the Google Inc. vs. AEPD decision in 2014.
III. The formal codification of the “right to erasure” in Regulation 2016/679.
All three events may be considered a portrayal of the main problem encountered by all legal systems in the digital era, i.e. the inability of the legal framework to keep up with the rapid changes in the technological scenario.
2. Directive 95/46/EC
The European Union adopted its first data protection legislation in 1995 with Directive 95/46/EC aiming at providing common legal principles that had to be subsequently implemented by the EU Member States in their national legislation.
In the context of the EU’s main objective a common legal framework to ensure the circulation of personal data within the EU territory was deemed as an essential tool to achieve the free circulation of people, goods and services. However, in its first legal framework data protection was intended from a purely economic standpoint as an instrument to promote the creation/achievement of the unique market, thus, lacking a so-called “constitutional soul”.
One of the main problems that arose with Directive 95/46/EC was that it was adopted when internet was not yet widespread. In fact, the digital revolution brought about many unprecedented constitutional implications.
One of the sectors where most of the constitutional implications emerged was the right to be forgotten, not been formally codified in the directive. Nonetheless, this did not deprive data subjects of the power to control the circulation of their personal data, albeit only exceptionally. In fact, pursuant to Article 6 (1) (e) Member States were due to ensure that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed”. Furthermore, Article 12 (b) guarantees every data subject the right to obtain from the controller “as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data”.
Thus by combining Article 6 (1) (e) with Article 12 (b) of the Directive an implicit acknowledgment of the right to be forgotten could be construed.
In fact, the genetic collocation of the articles within the Directive reflects, in general terms, the structure at the basis of the right to be forgotten: deleting or amending information respectively when it is not necessary or in accordance with the factual developments of a particular case.
Therefore, although the Directive did not explicitly prescribe a right to be forgotten this could be construed through an extensive interpretation of its prescriptions.
Although the importance of Directive 95/46/EC shall not be undermined, being the first legislative act providing for data protection within the EU, its inability to provide a solid legal basis was portrayed by the case-law of the CJEU.
3. Google Spain SL vs. Agencia Española de Protección de Datos
The judicial recognition of the right to be forgotten occurred in 2014 with the cornerstone Google Spain SL v. Agencia Española de Protección de Datos decision.
In order to thoroughly comprehend how the CJEU recognized a European right to be forgotten, two preliminary aspects must be assessed:
i. The Court identified Google as both a data controller and a data processor pursuant to the definitions provided for in Article 2 of the Directive.
ii. Although recognizing that the processing of data occurred outside the EU territory, the CJEU extended the territorial scope of application of Directive 95/46/EC to Google Inc. The Court did so by ascertaining that since Google Spain was selling advertising space in Spain and since advertising constitutes the main revenue for Google Inc. the two entities are “closely related” and thus Google Inc. is legally bound by the Directive.
Once the threshold aspects were resolved the Court addressed the legal obligations concerning Internet Service providers under the Directive. The economic interests of Internet Service Providers and the necessity for a higher degree of privacy protection recognized to data subjects were taken into consideration in a classic balancing test. On one hand, the Court considered that the provision “permits the processing of personal data where it is necessary for the purposes of the legitimate interests pursued by the controller or by the third party”. On the other hand, however, the Directive provides for an exception “where such interests are overridden by the interests or fundamental rights and freedoms of the data subject — in particular his right to privacy with respect to the processing of personal data”.
The CJEU recognized Articles 14 (a) and 12 (b) of Directive 95/46/EC as providing data subjects respectively, the right to object and the right to request removal and Article 6 (1)(c) as the provision defining the substantive conditions relating to the information. Through an extensive interpretation of the Directive the CJEU obliged Google to “erase” the links related to the personal information of the data subject.
By recognizing a right to be forgotten the Court acknowledged the necessity for its codification which occurred two years after the decision in Regulation 2016/679.
4. The General Data Protection Regulation (GDPR)
The proposal for a General Data Protection Regulation was put forward by the EU Commission in 2012. The official text of Regulation 2016/679 was published the 27th of April 2016 and shall enter into force on May 25th 2018.
As a Regulation it will be directly applicable within the Member States legal frameworks providing for a higher degree of data protection harmonization within the European Union.
The scope of the Regulation is underlined in Recital 1 according to which “the protection of natural persons in relation to the processing of personal data is a fundamental right” and thus an adequate legal framework must be provided.
In particular, as an attempt to expand the data subjects’ control over the protection of personal data, the GDPR embodies and further builds the right to be forgotten as judicially recognized by the CJEU in 2014.
Article 17 of the Regulation provides for a “right to erasure” pursuant to which “controllers must erase personal data without undue delay if the data is no longer needed, the data subject withdraws consent, the data subject objects to the processing or the data has been unlawfully processed”. Moreover, Article 17 also extends the obligations pending on data controllers providing that – where a data subject requests the erasure of data – they shall take reasonable steps to inform other controllers that are processing the same data about the data subjects’ request, unless such action requires “disproportionate effort”.
Another important aspect that must be assessed when considering Article 17 relates to the limits that the same regulation poses to the exercise of the right to erasure. Pursuant to Article 17 (3) the right to erasure may not be exercised when data processing is necessary for exercising the right to freedom of expression, compliance with a legal obligation, reasons of public interest, establishment, exercise and defense of legal claims.
As previously stated, the GDPR will become legally binding in 2018 and for this reason predictions on whether or not it will be able to provide for an adequate legal framework seem pointless. The only certainty, however, is that technology will keep advancing.
The codification of the right to be forgotten – occurred only in 2016 – is one of the many examples used by scholars to portray the inability of the law to keep up with the technological developments. The 2014 CJEU decision further exemplifies how the Court is constantly called-upon to fill in the gaps of an inadequate legal framework. It can thus be ascertained that one of the few “constants” of these last 20 years has been the inability of EU law to respond to the rapid changes occurring in the digital scenario. Moreover, the inability of the legislation to provide for a solid legal basis along with the controversial interpretations that the CJEU has provided entail the sacrifice of one of the founding principles of all legal systems: the principle of legal certainty. The General Data Protection Regulation auspices to interrupt this trend and poses itself as an innovative legislative act which will be able to provide a solid framework to face the legal challenges of the new digital era. However, it is also important to underline that even the best legislative acts have proved unable to keep up with market evolution. This problem does not stem from a lack of competence of EU bodies but is rather caused by the inability to anticipate the markets’ evolution.