The right to erasure, the right to be delisted and the right to be forgotten – clearing the conceptual haze

There are three concepts in EU data privacy law that are quite often conflated and misunderstood. These are: i) the right to erasure, ii) the right to be delisted and iii) the right to be forgotten. The aim of this article would be to establish conceptual clarity about these three notions and to further elucidate the relations between them.

The right to erasure

The right to erasure was initially established in the Data Protection Directive of 1995 (the DPD). The underlying rationale behind such a right was the notion of control – the idea that individuals should be empowered to affect the way their personal data is processed. There are three provisions in the DPD that lay the conceptual ground for the right to erasure. First, Article 6 e) of the DPD requires that personal data is kept in a form which permits identification of the data subject for no longer than necessary in view of the purposes for which the data were collected or processed. Naturally, this requirement can be satisfied by erasure of personal data. At the same time, it can also be achieved through other measures – for example, anonymization. Second, Article 12b of the DPD expressly guarantees every data subject the right to obtain from a data controller the erasure of data whose processing does not comply with the requirements of the Directive. The text of Article 12b points out the incomplete and inaccurate nature of the data as reasons for such non-compliance. However, as clarified in the Judgement of the Court of Justice of the European Union (henceforth, the CJEU) in Case C-131/12 Google Spain v Mario Costeja Gonzales (the Costeja ruling) these are just two examples and non-compliance could arise from any other non-observance of the conditions for lawful processing that are imposed by the Directive. Third, Article 14a of the DPD gives the data subject the right to object on compelling legitimate grounds to the processing of his personal data when the processing is based on the grounds of Article 7e (processing necessary for the performance of a task carried out in the public interest or in the exercise of public authority) and 7f (processing necessary for the purposes of the legitimate interests pursued by the controller) of the DPD. In such cases when the objection raised by the data subject is justified, the processing undertaken by the controller could no longer involve the data in question.

As part of the ambitious reform of the data protection legislation undertaken by the EU legislator the right to erasure was further amended in Article 17 of the GDPR and it was linked with the concept of a right to be forgotten.

 

 

The right to be delisted

Against this rich background of the right to erasure as initially conceptualized in the DPD and later in the GDRP under the banner of a right to be forgotten, we need to juxtapose the right to be delisted which is a very narrow right. The right to be delisted applies only to data processing operations involving personal data that are performed by search engine operators. It originates from the Costeja ruling of 2014 although the CJEU never named it as such explicitly. It can also be described as a right to be de-indexed or as a right to not participate in a list of search results under certain circumstances. The right to be delisted empowers the data subject to request from the operator of a search engine to remove certain links to webpages from the list of displayed results. In case this request is satisfied the end result is only a removal of the links but not the webpages to which they lead.

In its analysis the CJEU reached a conclusion that search engines are processing personal data as part of their operations and they must be regarded as data controllers within the meaning of Article 2b) of the DPD. Further, the processing that is carried out by operators of search engines has the capability to significantly affect the fundamental rights to privacy and protection of personal data when a search is performed on the basis of an individual’s name. Therefore, the individual should have the right to require the delisting of certain search results that link to information which appears to be inadequate, irrelevant or no longer relevant, or excessive in view of the purposes of the processing performed by the search engine operator. It follows from the ruling that the right to be delisted is related only to links that are generated as a result of a name search and the exercise of the right would never cause the deletion of a web page from the index of the search engine. Therefore, the page will still be accessible through other search terms different than the name of the individual in question.

Even though as explained, the right to be delisted does not entail erasure of the content it leads to a result that is broadly similar. In our contemporary digital world, web users are so accustomed to the ease and speed with which search engines provide relevant results to their queries that they rarely make the extra effort to locate a specific piece of information that has not appeared in the search results. Moreover, all search results that do not make it to the first three to five results on the first search results page tend to be naturally overlooked. In such circumstances and based on the heavy reliance on search tools by most web users, removing a link to a webpage could sometimes turn out to be almost as effective as deleting the webpage itself. Thus, the right to be delisted, when applied to search results generated as a result of a name search, in a subtle and indirect manner, achieves a result that serves the interest of forgetfulness but without actually erasing the published content.

The right to be delisted serves as a counterbalance to the ever-growing threat to privacy and data protection that is brought by the ease with which search engines compile a structured overview of the personal information for a data subject that is available over the internet. As established by the CJEU if the search and retrieval functionality provided by a search engine was not present it would be extremely difficult to gather personal data that is scattered over the Internet and compile it in an organized form that resembles a detailed profile. Thus, unlike the broad operational domain of the right to erasure, the right to be delisted aims to protect privacy interests in a very specific manner – by way of constraining the retrieval functionalities of search engines.

 

 

The right to be forgotten

It is far from easy to trace back the genesis of the notion of a right to be forgotten in European context. It can be argued that the notion has its roots in the French and Italian legal concepts of a ‘right to oblivion’ (‘droit а l’oubli’ in French, ‘diritto al’ oblio’ in Italian). The right to oblivion is generally viewed as a tool to impose silence on past events in a person’s life that are no longer relevant. That right has been instituted in Europe through both legislative acts and jurisprudence. In some jurisdictions in Europe the right to oblivion could also entail imposing certain restrictions on media reports related to past crimes. On such occasions the courts usually engage in a balancing exercise on a case-by-case basis between the competing rights. The balance is to be achieved between the personality rights of the data subject and the right to freedom of expression and information of the general public.

Back in 2009, a French legislative proposal about digital privacy contained a “right to digital oblivion – droit à l’oubli numérique”. Later, in 2010 the term “right to be forgotten” appeared in a resolution of the European Parliament regarding the new Digital Agenda for Europe. The parliament stressed that data subjects should be empowered to have control over their personal data including “a right to be forgotten” and further highlighted the need for adaptation of the DPD to the new digital environment. Even from this early perception of the right to be forgotten we could discern that it was envisioned as an enhanced version of the right to erasure that is properly adapted to the technological changes brought by the new millennium.

In this context, it is also important to note the Opinion of the European Data Protection Supervisor published in January 2011 where he stated that the degree of control an online user has over his data is quite limited in the current digital era and the notion of a right to be forgotten could put the data subject in a significantly stronger position towards the data controllers. It seems that we can establish a common thread in all positions mentioned above and it is that the right to be forgotten is viewed as the vehicle that would bring the right to erasure established in the DPD up to speed with the developments brought by the Internet age and augment it so that it can withstand the new threats to data privacy caused by global connectivity through a network that never forgets.

When the European Commission finally came forward with a proposal for a new Data Protection Regulation on 25 January 2012, it implemented a detailed “right to be forgotten and to erasure” in its Article 17. The analysis of the wording of Article 17 clearly demonstrates that in fact no new right was crafted but the existing right to erasure from Article 12b of the DPD was aimed to be enhanced and adapted. It was also clarified in the Impact Assessment to the proposed Regulation that the right to request deletion of personal data was already established in the DPD, but its practical enforcement towards a data controller was problematic, especially in the online environment.

It is very telling to trace the metamorphoses of the name of Article 17 in the preliminary drafts of the GDPR. In the initial proposal from May 2012 Article 17 was framed as a “right to be forgotten and to erasure”. This was redacted in the Albrecht Report published in November 2013 which proposed to change the title of Article 17 simply to “right to erasure”. As a form of reconciliation, in the final text of the GDPR, Article 17 was named “right to erasure” as the term “right to be forgotten” was put in brackets, right after it. What we are observing here are not just semantic nuances but once again a clear proof that we are faced with the core concept of a right to erasure that was aimed to be significantly augmented so that it meets the new challenges presented by the digital era.

Article 17, paragraph 1 of the GDPR establishes various grounds on which data subjects could obtain erasure of their personal data from a data controller. This is a different approach as compared to the one embraced by the DPD. Article 12b of the DPD formulated the ground for erasure broadly as processing that does not comply with the provisions of the Directive and gave only two examples – the inaccurate or incomplete nature of the data.

 

 

Under Article 17, paragraph 1, a) of the GDPR the data subject shall have the right to obtain erasure when the personal data are no longer necessary for the purposes for which they were collected or processed. This is a clear example of the functional interplay between the right to erasure and the purpose limitation principle developed in Article 5, paragraph 1, b) of the GDPR.

Second, the data subject can obtain erasure of personal data under Article 17, paragraph 1, b) if its processing was based on his consent and he has withdrawn it without there being a different legal ground for continued processing. This is another innovation in the GDPR as the DPD did not explicitly tie consent to the mechanism for invoking the right to erasure.

Third, under Article 17, paragraph 1, c) the data subject can obtain erasure of his personal data if he has objected to processing based on points (e) or (f) of Article 6, paragraph 1 of the GDPR and no overriding legitimate grounds exist for the processing. Article 6, paragraph 1, e) GDPR refers to processing “necessary for the performance of a task carried out in the public interest or in the exercise of official authority”. Further, Article 6, paragraph 1, f) GDPR refers to processing “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. Additionally, the data subject can also obtain erasure when he has objected to processing of personal data for direct marketing purposes.

The ground for erasure under Article 17, paragraph 1, d) is similar to the existing position in the DPD as it describes a situation where personal data has been processed unlawfully. Under Article 17, paragraph 1, e) the personal data of the data subject has to be erased for compliance with a legal obligation under Union law or Member State law to which the controller is subject. Finally, Article 17, paragraph 1, f) postulates that the data subject will have the right to obtain erasure of his personal data when it has been collected in relation to the offer of information society services to him when he/she was a child.

A new aspect of the right to erasure is revealed in the second paragraph of Article 17 of the GDPR. This provision bounds a data controller who is obliged to erase personal data which he has previously made public, to also take reasonable steps, including technical measures, to inform other controllers that are processing the personal data in question of the fact that the data subject has requested the erasure of any copies, links to or replications of such data. This provision in the GDPR is aimed to augment the right to erasure in view of the specific nature of the internet where information in digital form spreads and multiplies effortlessly and as a result exists on multiple locations at the same time. This is an obligation for certain efforts and not to achieve a given result. The controller is only obliged to take all reasonable steps and employ technical measures so that it can inform the other controllers who are in possession of the personal data whose erasure has been requested. It could be argued that the provision would have been more effective in guaranteeing the rights of the data subjects if it bound the data controller to achieve a certain result. However, this would be an extremely cumbersome task for the data controller and far from being practical given the ease with which information spreads over the Internet once it becomes public and the possibility for third parties to create copies of the information without the knowledge or consent of the data controller.

Finally, it is important to mention that the right to erasure established by Article 17 of the GDPR is not absolute. Article 17, paragraph 3 of the GDPR lists the exceptions to the right. Article 17, paragraph 3, a) stipulates that the right to erasure shall not apply to the extent that the processing of personal data is necessary for exercising the right of freedom of expression and information. This provision reflects the fine balance that needs to be sought between the data privacy rights of the individual and the opposing rights of freedom of expression and information of the general public. As has been established in the practice of the European Court of Human Rights (ECtHR), both freedom of expression on one hand and privacy and protection of personal data on the other hand are fundamental human rights deserving equal protection.

Further, Article 17, paragraph 3, b) provides that the right to erasure shall not apply when the processing is necessary for compliance with a legal obligation for the controller, the performance of a task carried out in the public interest or the exercise of official authority. In all these cases there is an important public interest in the continued processing of the personal data that overrides the right to erasure of the data subject. According to Article 17, paragraph 3, c), the right to erasure shall also not apply to the extent that the processing of personal data is required for reasons of public interest in the area of public health. Finally, paragraphs 3, d) and e) of Article 17 stipulate that the right to erasure shall not apply to the extent that processing of personal data is necessary for archiving, scientific, statistic or historical research purposes or for the establishment, exercise or defense of legal claims.

As we can clearly see from the above, Article 17 of the GDPR does not introduce a new concept but improves and augments an already existing one. What has initially been labeled as a “right to be forgotten” could be more accurately characterized as a right to erasure version 2.0.