Right to be forgotten
Modern human life is inconceivable without modern technology. Modern technology enables us not only to get information in a fast and easy way, but also to share it. However, such an advantage comes with a major challenge, especially with regard to the protection of personal data.
The right to freedom of expression and the right to access information which arises from the right to freedom of expression are fundamental human rights enshrined in Article 100 of the Constitution of the Republic of Latvia, also called Satversme (hereinafter – Satversme), Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter – Convention), as well as in Article 11 of the Charter of Fundamental Rights of the European Union (hereinafter – Charter). In contrast of these fundamental rights is the right to respect for individual’s private life enshrined in Article 96 of Satversme, Article 8 of the Convention and Article 7 of the Charter, as well as the right to protection of personal data laid down in Article 8 of the Charter. As none of the above-mentioned fundamental rights are absolute, it is necessary to make a case-by-case balancing of these rights.
On 13th of May 2014, the Court of Justice of the European Union (hereinafter – CJEU) in its judgment in Case C-131/12 Google Spain and Google upheld a person’s right to be forgotten. The right to be forgotten in essence means that a person has the right to request search engine providers to remove from their search results, in their name, links to web pages published by third parties that contain information related to that person. A person has such a right with regard to search results even if information about the person has not been deleted from these web pages or if the publication of information on these pages is lawful.1
In Case C-131/12 Google Spain and Google CJEU came to the conclusion that those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.2 The CJEU thus emphasized that those rights is not absolute and is guaranteed to an individual only where the individual’s right to respect for private life and the protection of personal data goes beyond the public interest in continuing to access certain information.
Currently, the right to erasure or the right to be forgotten, is enshrined in Article 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, also called General Data Protection Regulation (hereinafter – GDPR).3 According to Article 17 (1) of GDPR, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds established in the Article applies.
One of the recent most significant judgments further developing the scope of the right to be forgotten is the CJEU judgment of 24 September 2019 in Case C-507/17 Google / CNIL. In this judgment the CJEU clearly defined the territorial scope of the right to be forgotten. The CJEU acknowledged that there is no obligation under EU law for Google to apply the European right to be forgotten worldwide. The decision clarifies that, while EU residents have the legal right to be forgotten, the right only applies within the borders of the bloc’s 284 Member States.5
As the president of the CJEU Koen Lenaerts stated, “erasure of data outside EU territory is not regulated by EU law. EU law allows Member States to make their own choices regarding the erasure of information outside the EU”6. Advocate General Maciej Szpunar explained such a regulation in his observation: “If worldwide de-referencing were admitted, the EU authorities would not be in a position to define and determine a right to receive information [..] There would then be a danger that the European Union would prevent individuals in third countries from having access to information.”7
It should be noted that with this judgment the CJEU has indeed not ruled out the right of the EU Member States to decide whether territorial scope of the right to be forgotten is sufficient and, if necessary, to implement stricter measures in national law to protect those rights. Moreover, the CJEU has not ruled out the possibility that EU law might also require a search engine provider to operate worldwide, but again by accurately balancing the fundamental rights guaranteed to individuals.
It follows from all of the above that currently Article 17 of the GDPR guarantees an individual the right to be forgotten only within the EU. The CJEU has left the competence to determine whether a person has such a right outside EU territory to the EU Member States. However, since the right to be forgotten is not an absolute right, whether or not the search engine provider will be obligated to erasure individual’s personal data will depend on, whether in the individual case the right to respect for private life and right to protection of personal data will prove to be more important than the right of the society to access information
Legal services are often required to protect your right to protection of personal data. The Law office LUMOS provides a full range of services to entrepreneurs in implementation of Data protection Regulation and other laws and regulations, inter alia, conducting development of documentation, advising and evaluating the requirements of data protection in the company and auditing. Attorney Aleksandrs Lācēns has obtained a Data Protection expert certificate, ensuring the capability of the Law Office of Sworn Advocates LUMOS to provide, in co-operation with leading IT and security solution companies, full range of data protection services to merchants.