FROM PAST PRINCIPLE TO PRESENT LEGISLATION: THE EVOLUTION OF THE RIGHT TO BE FORGOTTEN

 

AUTHORED BY: MS. SABRINA ROY CHAUDHARY

Assistant Professor, School of Law, Arka Jain University

 

 

ABSTRACT:

The right to be forgotten, a concept that has gained significant attention in recent years, particularly in Europe but also globally, represents a complex intersection of privacy rights, freedom of expression, and the challenges of the digital era. Stemming from the 2014 ruling by the Court of Justice of the European Union in the Google Spain case, this right grant individual the ability to request the removal of certain information about themselves from online platforms, search engines, and databases, under specific circumstances.

 

This abstract provides a critical analysis of the right to be forgotten, examining its origins, legal foundations, and implications across various domains. It explores the tension between privacy rights and freedom of expression, highlighting the complexities of balancing these fundamental rights in the digital age. It also considers the practical challenges of implementing and enforcing the right to be forgotten, including issues related to jurisdiction, the scope of the right, and the role of intermediaries such as search engines and social media platforms.

 

Furthermore, this abstract discusses the impact of the right to be forgotten on digital ecosystems, including its effects on access to information, online reputation management, and the broader implications for the regulation of the internet and also the degree of inclusion in Digital Personal Data Protection Act 2023, of India. It also considers the role of emerging technologies, such as artificial intelligence and blockchain, in shaping the future of the right to be forgotten, and the potential challenges and opportunities they present.

 

In conclusion, this abstract argues that while the right to be forgotten is an important tool for protecting individual privacy in the digital age, its implementation requires careful consideration of its broader implications for freedom of expression, access to information, and the evolving landscape of digital rights and responsibilities.

 

INTRODUCTION

To understand the evolution of the concept of Right to be forgotten, it’s important to define what it basically means. In plain language it means to ask for removing personal information by the individual which is available on the internet. The right “reflects the claim of an individual to have certain data deleted so that third person can no longer trace it” and is defined as “right to silence on the past events in life that are no longer occurring.”

 

We cannot imagine how a life of continuous harassment would look like without being able to do anything about it from a legal perspective. This is what has been happening for the last couple of years to American journalist Dune Lawrence, who has been subjected to a vicious series of online attacks.[1] “As a journalist covering financial markets, she wrote several articles a few years ago about an investment firm, and the owner initiated an online defamation campaign against her and other targets. He posted images of her to his website and called her a racist, a fraud, incompetent and dumb, among many other insults. Remarkably, these images quickly rose to the top of Google’s image search results for her name, and are still there at the time of writing, making it easy for anyone to find the defamatory comments about her. In fact, these results still display highly even though the creator of the site has already lost a defamation case, has been charged with fraud, and is in the process of defending yet another defamation case. Suing the host of the potentially illegal content is difficult, expensive, and it may even be impossible if they are in another country or are protected by strong free speech laws. Unfortunately for Dune Lawrence, this is precisely the case in the United States, where publishers are protected by strong laws that make them almost immune from liability when publishing potentially defamatory content.”[2]

 

This brings us to the Communications Decency Act was passed in 1996. Article 230 of the Act provides webmasters with waivers for third party content. In essence, Section 230c(1) provides an exemption from liability to providers and users of “interactive computer services” who post information from third parties. Providers or users of interactive computer services should not be construed as publishers or presenters for information provided by other content providers. Article 230(c)(2) of the Decree protects the Good Samaritan[3] from civil liability to the operator of interactive computer services when extracting or mediating material from third parties deemed obscene or offensive, including: Constitutional protection as long as this is done.

 

Section 230 was developed in response to several lawsuits against Internet Service Providers (ISPs) in the early 1990s, with differing interpretations of whether service providers should be considered publishers or distributors of user-generated content. After the telecommunications law was adopted, the CDA was challenged in court and found unconstitutional by the Supreme Court of Reno v American Civil Liberties Union (1997).

 

In 2018, Section 230 was amended by the Stop Enabling Sex Traffickers Act (FOSTA-SESTA) to require the removal of material violating federal and state sex trafficking laws. In the following years, protections from Section 230 have come under more scrutiny on issues related to hate speech and ideological biases in relation to the power technology companies can hold on political discussions, and became a major issue during the 2020 United States presidential election.

 

Passed at a time when Internet use was just starting to expand in both breadth of services and range of consumers in the United States, section 230 has frequently been referred as a key law that has allowed the Internet to flourish, and has been called "the twenty-six words that created the Internet".[4]

 

This project will look at the rise of the right to be forgotten, from the very initial time that gave rise to it, to the most recent iteration of the right contained in recent regulations. It will also analyse the problem and criticism that arose by the implementation of the right, and it will finish asking whether it is a valid addition to defend information self-determination, or if it infringes on freedom of speech and the public’s right to know. With regards to privacy, Europe has a robust system to ensure the protection of this right.

 

The evolution of this concept was seen in the case of Google Spain v AEPD and Mario Costeja Gonzalez (2014) and has proved to be a very important judgement in this field.

 

In this case, the European Court of Justice has ruled that European citizens have the right to require commercial searchers such as Google, which collect personal information for commercial purposes, to remove personal information links upon request. No more relevant. The courts have found that the basic right to privacy goes beyond the financial interests of businesses and in some cases beyond the public interest to access information. The European Court of Justice supported the Spanish Data Protection Agency's decision to advocate freedom of speech and refused to agree to delete personal bankruptcy articles from the websites of media agencies. However, the court pointed out that even in 2019, the principle of the right to be forgotten should be respected by Google only for EU countries that are not relevant to consumers and other states around the world. This case was Google's victory, but as the court ruling said it would not apply to other countries outside the EU, it informs citizens of this principle and eventually forces other states to focus on adopting laws in this regard. And we recognize that right.

 

Talking about the case, it gave rise to the concept of right to be forgotten being acceptable by the judiciary but the main reason as to why this concept came into existence is because of the Right to Privacy. One can only expect something like right to be forgotten exist only when one has the right to privacy. A legal definition of privacy is not available but a lot of experts tend to define privacy as a human right which a person enjoy as a part of his existence. “Privacy can also extend to other aspects, including bodily integrity, personal autonomy, informational self- determination, protection from state surveillance, dignity, confidentiality, compelled speech and freedom to dissent or move or think. In short, the right to privacy has to be determined on a case-by-case basis.”

 

Talking of global regulations, Article 12 of UDHR, 1948 (Universal Declaration of Human Rights), Article 17 of ICCPR, 1966 (International Covenant on Civil and Political Rights) gives protection to a person against the arbitrary interference of another person on his privacy, family, correspondence, home, reputation. In 1979 India had ratified the ICCPR. Article 7 and 8 of Charter of Fundamental Rights of European Union, 2012 recognizes the same and article 8 specifically talks about protection of personal data and its collection for only a legitimate purpose. Thus, we see that privacy of information it terms of data of an individual is not protected and forms a part of right to privacy.

 

Same context is seen in Indian legal system as well. Right to Privacy became a Fundamental Right in the case of Justice K.S. Puttaswamy v Union of India. In 2017, 9 judge bench unananimously declared that right to privacy is available to every person as a Fundamental Right under part III of the Constitution of India. “The right to be let alone, to seclude oneself from intrusions of any manner, is essential to privacy. Every individual is entitled to a state of repose. Liberty and privacy are integrally connected in a way that privacy is often the basic condition necessary to exercise personal liberty”- Justice Bobde. With this right to privacy also included privacy in terms of data as data in an intrinsic part of an individual and he should have the sole authority to decide what information about him should be circulated and what should be removed from the internet which does not hold any purpose anymore.

 

Article 8 of the European Human Rights Convention (ECHR) states that "everyone has the right to respect his privacy and family life, family and correspondence". This is a trusted law accepted by the European legal system. However, self-determination of information can sometimes interact, but not confidentiality. Self-determination of information is protected by the data protection regulations established by the European Data Protection Directive (DPD) of 1995. The main purpose of data protection guidelines is to protect the rights of identifiable natural persons (referred to as data subjects) by establishing a set of principles and circumstances. Data objects (referred to as personal data) can be legally processed. Any legal entity that can determine the purpose and control of an individual's personal data is called a personal data controller. DPD was updated in 2016 according to GDPR (General Data Protection Regulation). GDPR talks about the right to be forgotten in a certain way. I will mention it next time. However, basic information on the GDPR was adopted by the European Parliament in April 2016 and replaced the 1995 Data Protection Directive. Out of date. Describes provisions that mandate businesses to protect the personal data and integrity of EU citizens for transactions occurring in EU countries. The GDPR also contains provisions regulating the export of personal data to individuals outside the EU. The rules are the same in all 28 EU countries, so the company only needs to follow EU standards. However, this standard is quite high and most companies have to invest heavily to comply with the GDPR.

 

According to the GDPR, registrants have the right to have administrators delete personal data about themselves without undue delay.

 

According to GDPR, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

• Under Article 2 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”.
• “Controller” means “the natural or legal person, public authority, agency or any other body which determines the purposes and means of the processing of personal data”.
• According to the GDPR website, “undue delay” is considered to be about a month.

 

Art. 17 - Right to erasure (‘right to be forgotten’)

1. “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”

1. If the controller is required to make personal data publicly available and delete personal data pursuant to paragraph 1, taking reasonable measures, including technical measures, to inform management, taking into account the available technology and the cost of its implementation. Process personal data that the data subject has requested to be deleted, copied or duplicated on any link to that personal data.

1. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise or defence of legal claims.
6. Companies with headquarters in the United States are also affected by the right to be forgotten.
7. Another highlight of the decision is the fact that it has to do with companies based in and out of the EU.

 

The court has found that the fact that the servers on which Google performs data processing operations are not physically located in countries other than EU member states is not exempt from liability arising from the Directive. EU 95/46 / EC EU.

 

Google Spain does not perform any indexing activities, but only advertising activities. The company is a company organized under Spanish law, so it does what it does at any time. When it comes to indexing, we have concluded that the company's activities should follow it. EU Directive 95/46 / EC.

 

Given the number of Internet users in all EU countries and almost all major search engines in the world, it is considered to work almost without exception in this region, the impact of this decision is enormous.

 

In this case, enterprises that are not subject to EU Directive 95/46/EC in their data protection activities and activities are in non-member countries and must comply with EU member states. We conduct our activities in accordance with these guidelines to serve EU citizens, including giant names such as, Yahoo and Bing. The effectiveness of the decision is even more pronounced when we consider that these companies should conduct business in accordance with the provisions on which they are based, as well as other provisions of Directive 95, 46.

 

Obviously, Google will have the biggest impact as it has the largest share in the relevant market. Google now faces very serious responsibilities in the EU, which was not much before, due to decisions made by EU judiciary and administrative authorities last year. One example is the voting resolution adopted by the European Parliament on November 27, 2014, which gives the EU anti-federal authorities approval to issue warnings against Google even if the EU anti- federal authorities do not have an executive branch.[5]

 

RIGHT TO BE FORGOTTEN V FREEDOM OF SPEECH

The main argument for "the right to be forgotten" stems from the conflict with the right to freedom of expression. Jonathan Zittrane argues that the right to be forgotten limits freedom of expression by altering search engine results without removing the actual source. [7] This change in search results compared to keeping books in the library but making the catalog inaccessible. A better approach would be to have the data object provide more context to the aspects and information of the story than to allow some distraction. Unlike the United States, the European approach is to balance freedom of opinion with other matters. One of the exceptions to the third paragraph of paragraph 3 of Article 17 stipulates that information cannot be deleted if it is necessary to exercise the right to freedom of expression, but freedom of expression does not completely violate confidentiality as a value''must be protected. The US Constitution, on the other hand, tends to be more trustworthy in very limited circumstances and violates the right to the first amendment. Florida Star v. of the US Supreme Court. BJF, legally obtained information may be restricted to disclosure only in the case of "national interest". These services allow you to waive any rights you may have in the most limited circumstances, and damage to confidentiality and reputation is not standard. For this reason, the right to be forgotten as set out in Article 17 may not work in the United States.[6]

 

CONFUSION IN LAW

According to Article 17 of the EU Directive, the term "personal data" includes all information relating to an individual. Although not unique to identification, there is some ambiguity as to whether information that is part of a small group can be considered in the context of personal data. This is relevant, for example, when someone tries to delete information that points to a family member without speaking to that person. At the same time, the information one person wants to delete may include personal information about more than one person. It is not clear whether consensus from all stakeholders is required, and if not, what parameters the individual's wishes should take precedence over others. Another important question that is still unanswered is whether the same content abstraction standards should apply to most people and those involved in public life.

 

Article 17 (1) (a) provides for deletion when the data is no longer necessary for the purpose for which it was collected or used. The criteria for situations in which these criteria are met are not yet clear and can only be fully understood through the consistent application of this law.

 

Finally, it is unclear how this deletion will actually be implemented if there is a reasonable basis for requiring the deletion of the information. It may be irrational to require that all copies of dispute data be deleted so that they are as unsearchable as technically possible. A smarter solution is to encrypt the data as if some records were sealed and strict confidentiality obligations apply. In most cases, it may be sufficient to remove controversial data records from search results and database reports without actually interfering with the information present. These are some of the issues that the actual application of this right faces and needs to be considered when applying the proposed rules.

 

---

[1] Lawrence D (2016) The Journalist and the Troll: This Man Spent Two Years Trying to Destroy Me Online. Bloomberg. http://www.bloomberg.com/features/2016-benjamin-wey/. Accessed 03 Nov 2016

[2] Communications decency act article 230

[3] The Good Samaritan Law allows a person, without expectation of payment or reward and without any duty of care or special relationship, voluntarily come forward to administer immediate assistance or emergency care to a person injured in an accident, or crash, or emergency medical condition.

[4] "Trump's Executive Order: What to Know About Section 230". Council on Foreign Relations. Retrieved September 4, 2020.

[5] European Parliament Backs Investigation to Split Google Search from Its Other

Businesses http://techcrunch.com/2014/11/27/google-unbundle-eu/ Date of European Parliament Backs Investigation to Split Google Search from Its Other Businesses http://techcrunch.com/2014/11/27/google- unbundle-eu/ Date of Access:22.12.2014

[6] Zittrain, Jonathan, Don’t Force Google to Forget (May 14, 2014)