Written by: Setthakorn Puttamongkol
Bachelor of Laws, Chulalongkorn University; Independent Scholar.
The Titles is a direct reference to the song “Paint It Black”, written and performed by The Rolling Stones (1966).
Imagine that at some point in the past, one individual are being exposed to the nationwide media with high coverage for convictions in criminal offences, for controversial issues surrounding people or specific incident, or for other issues. As time goes by, the story’s coverage diminished, and eventually after some time, it disappeared from public eye. That individual later applies for work where background check is required, but failed the background check as a result of “negative publicity” from the past that the media or the police bureau retained. The negative publicity surrounding the individual, if discovered, could have reject every other opportunities, thus individual has to demand them be removed to cover up their traces.
The example provided above serves as a basis for the “right to be forgotten”, the right for individual to continue living their lives by leaving their past behind and not being brought up to jeopardize the life as it be at current. While this concept was recognized as a human rights by the jurisdiction that started it all, the European Union, there are still problems whether it will be fully compatible to the digital era where contents may be distributed, captured or recorded in any medium. This article aims to discuss the origin of this right and its implication on enforcing the “right to be forgotten”.
I. The Development of the Right to be Forgotten
The concept about personality rights is known as rights attached to person and aimed to protect individuals itself; the concept with respect to right to be forgotten has only been developed recently to ensure the non-prejudice treatment to the integrity of individual and, to a lesser extent, allow unfavorable record that may be otherwise unrelated to the act done in the present be removed from public view, of which the example includes the criminal record and the media depiction of controversial action done by that person. In 1973, on what is known as Lebach case, the convict of armed robbery filed a preliminary injunction against German court requesting the television station producing documentary about robbery to halt broadcasting. The two lower courts rejected the application, but the Federal Constitutional Court granted injunction, citing the provision in German constitution that “free development of personality and right to dignity are protected by law”. Lebach served as one of the milestone in development of right to be forgotten, which was reinforced in the European Convention on Human Rights (ECHR). In particular, Article 8 stated in part that:
“Everyone has the right to respect for his private and family life, his home and his correspondence”.
The development of a so-called “Right to be forgotten” resurfaces in European Union in a reference to the deletion of information which is incomplete or inaccurate in Article 12 of Data Protection Directive; it does not, however, give a clear view over how can individual request the “forgotten” to take place. It wasn’t until 2012 proposal by European Commission of General Data Protection Regulation to which the “Right to be forgotten” is explicitly mentioned. The Proposal outlined several instances where the data shall be deleted upon request and provides the ground for the data to be retained or disclosed, to which the details is to be described in the foregoing section.
The Right to be forgotten is best known in the case Google Spain et. al. v. Gonzalez et. al. Mr. Gonzalez, a Spanish national, filed a complaint to Agencia Española de Protección de Datos (Spanish Data Protection Agency; AEPD) that Google displayed the link of newspaper news showing that Mr. Gonzalez is facing auction attachment, of which they are no longer relevant and was in fact resolved. While the AEPD dismissed the claims against newspaper, it upheld the complaint against Google, citing that if the access of data compromises fundamental rights of data protection and prohibition of access, AEPD has the power to order the data not to be displayed. Google contested the decision in the Spanish High Court, to which the case was sent to the Court of Justice. While Google contested to the Court of Justice that the contest should be sent to the publisher of the website, the Court of Justice noted in the case that:
Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.
The question that was established in the case is that whether the information should be removed when the information is, by the view of data subject, prejudicial. Google, and a number of amicus curiae brief filled by governments argued that the removal is strictly limited to those in Data Protection Directive, while Mr. Gonzalez argued that it should apply to all cases. The Court only answered this question by stating that the necessity for the data not to be link by its subject, and the interests to general public shall
be balanced. Following this decision, Google and other search engine were required to permit individuals to have their context removed; they responded by setting up specific mechanism for European jurisdiction, including the form to request removal and the notice noting that some contents are excluded from view in Google only for the domain in Europe, and not others. Google noted that, as of 11 June 2016, it has received at least 440,148 requests for 1,539,176 URLs to be removed, approximately 43% (three-seventh) of which Google choose to process.
II. What is, in essence, the right to be forgotten
As the Right to be Forgotten is actively developed in the European Union, a recite to General Data Protection Regulation is an ideal to examine what constitute the right to be forgotten, and to which extent does it apply. Article 17 of the 2012 Proposal, titled “Right to be Forgotten and to Erasure” describe that the data subject (the person related to those data) may request the data controller (one who acquired data) to remove and stop distribution of such data when it satisfies the following ground:
(1) The data is no longer necessary for the proposed collection;
(2) The data subject withdrawn the consent for data to be collected, or (in case the collection is done with time limit specified) the consent has expired and there are no grounds to retain such data, or the data subject disputed the collection and utilization of such data, or the data was not collected in accordance with the law
The law also specified that person receiving data from collected parties shall be informed that the data subject has requested the reference be removed. It also provides exception that the data must be erased except:
(1) The retaining of data is required for exercising the right with respect to freedom of expression, public interests (healthcare), historical, statistical and scientific purpose, unless the need is no longer required after a specific period of time;
(2) The data shall be retained in accordance with law of each country, which shall subject to the balance strike between public interest and removal of such data;
(3) If the data subject disputed accuracy of such data, the data requires to be kept for proof, the use of data is unlawful but the subject does not require the data be removed, or for the purpose of transferring data to another system, the data usage must be restricted but may not erase them. It shall be solely kept for proof or for right protection, and the subject shall be informed of the process on deletion or retention of such data.
While there is no international law that touch directly with this law, the international organization such as Organisation for Economic Cooperation and Development (OECD) attempted to establish the milestone on right to be forgotten which is valid across participating countries. The results is the Recommendation of the OECD Council in 1980, which, with respect to the right to be forgotten, provides that the data subject has the right to challenge the data and have them erased, rectified, completed or amended. As a recommendation, it does not have legally binding effect, though it served as a development for other laws to similar effect.
III. “Does it work, too?”
A number of scholars pointed out that the concept with respect to right to be forgotten is vague when it was written into law, but even more confusing when it comes to practice. Meg Leta Ambrose, in her paper jointly authored with Jef Ausloos, pointed out that certain activities, such as collection by virtue of household activities, national security and criminal investigation, were deliberately excluded off the Proposal, which means it may still be theoretically possible to retain data for the purpose of criminal investigation. If such retention is possible, it will be in contrary to the purpose of right to be forgotten that ex-convict may request the record be cleared for their fresh start. The author also noted that the introduction of concept relating to the consent and the withdrawal is a new development to the Proposal, but if the consent was granted for the data controller who later passed on such information to other party (whether in form of information purchase, exchange or other means), and the consent was later withdrawn, the controller may have to request the recipient of data to upheld the withdrawal of the subject by means of communicating to the recipient. Article 17(2) of the Proposal, however, noted that the controller is still liable if it allowed the recipient access to the data that should have been deleted.
A number of critics to the “right to be forgotten” noted that it is almost impossible to make someone “disappear” by invoking the right to be forgotten, as the data as it is being processed nowadays is very impossible to be eliminated out of presence. Bert-Jaap Koops, in his paper, broke down the right into three main primary uses, which will be described here in two:
- To request removal of data in due course. The implication behind it is who should be treated as data controller when the current trend of Web allowed for user-generated content to be posted (such as by taking photos or videos in public appearance, to which consent from data subject are not obtained) into specific platform (which is essentially similar to Google Spain v. Gonzalez case above and shall be referred to at later point). This does not include the fact that the same publication may be reproduced in a “mirror” site, with or without permission from the source, which makes the tracking down be much more difficult.
It is worth nothing that the exception on criminal investigation as stated in 2011 Proposal may allow the police or court authority to retain the record of suspected wrongdoings in database, which may adversely affect the background check in profession that required so. In 2008, the European Court of Human Rights decided in S and Marper v United Kingdom that the retention of DNA from the convicted for a criminal charge that was later dropped is unlawful.
It noted that (emphasis added):
…the Court finds that […] the powers of retention of the fingerprints […] of persons suspected but not convicted of offences […] fails to strike a fair balance between the competing public and private interests […] the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary […]
The balance strike shall be subject to further discussion on a revisiting of Google Spain case, the landmark milestone of “right to be forgotten”.
- The “restart”. The restart as referred here reflects the issue in the opening paragraph of this article which people should have right to demand the outdated and prejudicing data be removed or at least not used against them (if the consideration so requires), like in bankruptcy and criminal law. For example, the data subject who is making a negative publicity but has since emerged from them (such as in tax convictions, defamation, bankruptcy, etc…) should have right to demand news media to remove or to refrain from reporting the negativity in the past. Koops noted the concept to be how to approach the data when it was released and used, not a pre-emptive prohibition on the extent the data may or may not be used in order that the data subject can discuss freely without having to require a “restart” if the data is misrepresented or prejudicial later.
While Jef Ausloos also identified other issues that the nature of privacy issue are very abstract and became issue when it was late to react, as the current society are tracking and/or using a big data nowadays, in the manner that people are much obliged to comply without appropriate framework to safeguard their interests, though if this “right to be forgotten” are abused, it may constitute form of censorship, and if there is no actual information to collect in the first place (as in most site claimed “anonymous, non-identifiable information”, then this right to be forgotten cannot be invoked to forget anything. The critics, however, agrees that there are some point the public interests may be claimed to forbid people to forget itself, such as the freedom of expression and freedom of press. While the ECJ in Google case noted that Google’s index is disproportionate, it noted that (emphasis added):
“…the processing by the publisher of a web page consisting in the publication of information relating to an individual may, in some circumstances, be carried out ‘solely for journalistic purposes’ and thus benefit, by virtue of [exception of Data Protection Directive]…”
11 months before the ECJ reached the decision in Google case, the Advocate General Niilo Jääskinen presents his non-binding opinion which argued that the right to privacy (and to private right in general) is, to certain extent, shall be subject to justified limitation, and by removing information which is publicly available for the purpose to be forgotten by the data subject, it would “entail sacrificing pivotal rights such as freedom of expression and information”, whereas the freedom of expression are enjoyed at the same level of right to privacy, and both need to be balanced.
In March 2016, French data regulator Commission Nationale de l’Informatique et des Libertés (CNIL) imposed an 100,000 Euro fine against Google for failing to comply with the right to be forgotten in its entirely. They noted that Google did indeed hide the website index from Google if the request came from European countries, but not from other continents (i.e. if the request was made in Asia or North America, it will still display the information as usual), which the CNIL claimed that the approach to suppress the result shall not depend on “geographic origin of those viewing the search results.”. Google published an open letter in French newspaper Le Monde nothing that such restriction would means the information would be censored worldwide when it is legal in other countries not the country of origin (in this case, France). It also noted that this may set a dangerous precedent for the law governing data and data protection to be apply worldwide when its applicability is solely for the exclusive jurisdiction only. In May of the same year, Google appealed the decision to the Conseil d’État, the Supreme Administrative Court in France, for the review of CNIL decision.
While the issue on how the effectiveness of right to be forgotten remained debatable on the issue not being an equivalent right, there are some approaches such that the data may “forget” itself without user intervention, such as by adding the expiry date or any technological measures to control them similar to Digital Rights Management (DRM) used in the online purchases, though there shall be governing regulation to ensure the control mechanism are not being circumvented
IV: How about Asia, in a way?
The major player in a game of big data are two countries and one entity: Japan, South Korea and Hong Kong. As such, these three countries shall be put greater emphasis.
In Japan, there is a conflicting standpoint over how to balance freedom of information with right to be forgotten prior to the introduction of the right recognized in Google case. In one instance in January 2014, the Tokyo High Court decided that removing the auto-prediction related to a person whose link tied with alleged crime not committed by him “cannot be taken into account the damage general public would loss from displaying information”, while in September of the same year, Kyoto District Court ruled against the man who asked the arrest record be purged; without concluding on the merit of the case, the Court throw the case away as Google is effectively American company, and the American division shall be responsible for this oversight (similar to forum non conveniens doctrine). Yahoo, who is also operated in Japan, were also face a takedown request and, after several court decisions, has decided to establish oversight procedure which is said to remove privacy-sensitive issue while granting freedom of information
This standpoint was changed when the influence of the “right to be forgotten” was accepted. A case in Tokyo District Court in October 2014 saw the Court ordered an interim injunction for the removal of search results linking to criminal activity. The Court in this case do not exactly touch into the right to be forgotten in the essence, but rather note that people has right to privacy, which is a bigger picture of the right to be forgotten. In 2016, however, the Saitama District Court rendered the interim injunction for Google to remove details of 3-year-old arrest with explicit mention to the right to be forgotten as established in EU. The presiding judge noted that people who was unduly exposed shall be entitled to have their private life honored and shall be given another opportunity to restart the life without hindrance from the past.
IV/II: South Korea
In April 2016, South Korea’s Communication Commission proposed a Guideline for Requesting Access Restriction on Media Posted Online. Essentially, this is similar to “right to be forgotten” that individual may request removal or restriction of access for media posted by other or by itself that cannot be removed online. The Commission described this as guideline that this is a “minimum” guideline in supplement of other laws, and, in a unique move, recognized that family members or spouses may exercise this right post mortem (after the subject’s death). The non-binding guideline is set to become effective in June 2016.
IV/III: Hong Kong
In 2014, there is an administrative appeal in Webb v. Privacy Commissioner for Personal Data. David Webb is a founder of private business database, which linked to the public case database operated by the authority. A complaint from one accused in an unrelated case leads to the redaction of names in the public database, but the name was not erased from the database Webb operates. Webb appealed the order of Privacy Commissioner, and the Administrative Appeals Board heard them in July 2015. It decided that, while Webb contested over the necessity and proportion of the law, there must be a balance struck. The Report by Privacy Commissioner, to which the Appeals Board agrees, noted that:
“…Whether the published data concerns matters of public interest is a factor that I will take into account when striking the balance between freedom of press and data privacy. In considering whether public interest is served in any news reporting, our stance is that public interest must involve a matter of legitimate public concern. There is a distinction to be drawn between reporting facts capable of contributing to a debate of general public interest and making tawdry descriptions about an individual’s private life. […]
In weighing the freedom of press and expression against the personal data privacy of the Complainant, […] the balance should be tipped in favor of protecting the personal data of the Complainant in the three edited judgments.”
IV/IV: Elsewhere in Asia
In India, sometime around April to May 2016 and perhaps being the first of its kind, a banker claimed the right to be forgotten over the news coverage over the marital dispute, demanding it be removed from the website and search engine. The Delhi High Court is scheduled to hear the case at the end of the year while awaiting the parties to file a response.
In China, a man filed complaint against the search giant Baidu (an equivalent to USA’s Google), claiming the search suggestion is damaging his reputation as it is associated in certain unrelated and sometimes unfavorable matter. The People’s Court of Beijing Haidian district rejected the case, citing that the right to be forgotten does not exist anywhere in Chinese Law, but only in foreign law which cannot be derived as a protection in domestic law. Other issues with respect to reputation and misrepresentation was also raised but dismissed as it was found that it was necessary to uphold the right to access to information (including prior work experience) and does not constitute tort, a separate ground of violation. This decision was upheld as final in the appeal to Intermediate People’s Court.
The issue of right to be forgotten are often derived from right to privacy, and since privacy are recognized in equal scale to the freedom of expression, taking balance into either issue often is not an easy task. The ground to be forgotten is often associated with the cleaning of prior traces which may be unfavorable (such as criminal record or civil litigation) or do not serve public interests, but may be otherwise used in background checks, though the ground for retention is often for the purpose of reporting history as it appeared for public interests, and there are also some technical difficulty associated with the vague term and enforcement of such law
in practice, as in the world of big data, it is very unlikely that the information may be completely removed out of sight while it is under processing by data controller or other entity, and the exercise of right will not only become problematic to the intermediary of the data, but to the ultimate entity when the request to be purge was served to. Several Courts attempt to determine the fair balance between the freedom of expression and right to be forgotten, and for such purpose, has outline some unofficial practice for the exercising of the right to be forgotten, such as by requiring the data subject to present sufficient information and probable causation associated with the display of such information, by means of removing direct and identifiable reference to the data subject but is otherwise remain in place, and by taking account of public interests associated with freedom of expression, and to some extent, freedom of journalism. However, the lack of law governing the purge of online media when it becomes obsolete also makes some other Court to turn and resort to other law, such as Data Protection Law. Theoretically, it is possible to use such law to resolve the issue, but its interpretation cannot go as far as lex specialis; Data Protection Law, as its name suggests, is design for the protection of data, not the “purge” of data.
While in the cyberspace of big data, individual would require more control to the data and how it was processed, it poses a problem on how would such data be regulated (in Data Protection Law) or be removed upon it is likely to become prejudicial (for the right to be forgotten) in conjunction with the balance of freedom for free access of information, journalism and expression. The recognition of right to allow people to request unfavorable content, as it is known in Google case as “right to be forgotten”, serves as a good milestone for the development on how person could exercise the right for noninterference (privacy), though until the issue was revised and set into stone, any development in this field remains open for all kind of interpretation and for any and all favor
 Chelaru Eugen, Chelaru Marius, Right to be Forgotten, 16 Anales Universitatis Apulensis Series Jurisprudentia (2013)
 Rolf H. Weber, The right to be forgotten: more than a pandora’s box?, 2(2) Journal of Intellectual Property, Information Technology and E-Commerce 120, 120-121 (2011)
 BVerfGE 35, 202. (5 June 1973), as cited in Weber (2011), at 4, page 2. The excerpt of the case were translated by F.H. Lawson and B.S. Markesinis, and appeared on http://germanlawarchive.iuscomp.org/?p=62
 Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, 4 November 1950, ETS 5
 Formally, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (24 October 1995)
 Proposal 2012/0011 (COD) for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (25 January 2012)
 European Court of Justice, case C-131/12, Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos and Mario Costeja González, Judgment of 13 May 2014
 Google’s URL is https://support.google.com/legal/contact/lr_eudpa?product=websearch for request for removal of results, while for Microsoft-owned Bing, the form is at https://www.bing.com/webmaster/tools/eu-privacy-request
 See https://www.google.com/transparencyreport/removals/europeprivacy for the exact figure as periodically updated
 supra Note 8
 Recommendation C(80)58/FINAL of [OECD] Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980
 Meg Leta Ambrose and Jef Ausloos, The Right to Be Forgotten Across the Pond, 3 Journal of Information Policy 1 (2013), pp. 12-13
 Supra Note 8, Article 2, paragraph 2 et. seq.
 Bert-Jaap Koops, Forgetting Footprints, Shunning Shadows. A Critical Analysis Of The “Right To Be Forgotten” In Big Data Practice, 8(3) SCRIPTed 229 (2011), at 237 et. seq.
  ECHR 1581, Judgment of 4 December 2008
 Jef Ausloos, The ‘Right to be Forgotten’ – Worth remembering?, 28(2) Computer Law & Security Report 143 (2012)
 Julia Fioretti, France fines Google over ‘right to be forgotten’, Reuters (March 24, 2016), at http://www.reuters.com/article/us-google-franceprivacy-idUSKCN0WQ1WX (accessed June 11, 2016)
 Kent Walker, «Ne privons pas les internautes français d’informations légales», Le Monde (May 19, 2016), at http://www.lemonde.fr/idees/article/2016/05/19/ne-privons-pas-lesinternautes-francais-d-informations-legales_4922590_3232.html (accessed June 11, 2016) (in French). A translation appeared on Google Europe blog at http://googlepolicyeurope.blogspot.co.uk/2016/05/a-principle-thatshould-not-be-forgotten.html
 Sam Schechner, Google Appeals French ‘Right to Be Forgotten’ Order, The Wall Street Journal (May 19, 2016), at http://www.wsj.com/articles/google-appeals-french-right-to-be-forgottenorder-1463660336 (accessed June 11, 2016) (paywall)
 supra Note 18, at 153
 Tomoko Otake, ‘Right to be forgotten’ on the Internet gains traction in Japan, The Japan Times (December 9, 2014), at http://www.japantimes.co.jp/news/2014/12/09/national/crime-legal/right-to-be-forgotten-on-the-internet-gainstraction-in-japan/ (accessed May 29, 2016) (paywall)
 Eric Geller, Yahoo Japan agrees to honor requests to delete search results, The Daily Dot (March 31, 2015), at http://www.dailydot.com/politics/yahoo-japan-search-results-deletion-right-tobe-forgotten/ (accessed May 30, 2016)
 Megumi Fujikawa, Google Japan Case Raises Issue of “Right to Be Forgotten”, The Wall Street Journal (October 22, 2014), at http://www.wsj.com/articles/google-japan-case-raises-privacyissues-1413981229 (accessed May 29, 2016) (paywall)
 Justin McCurry, Japan recognises ‘right to be forgotten’ of man convicted of child sex offences, The Guardian (March 1, 2016), at https://www.theguardian.com/technology/2016/mar/01/japan-recognises-right-to-be-forgotten-of-manconvicted-of-child-sex-offences (accessed May 29, 2016)
 See the press release of Korea Communications Commission at http://www.kcc.go.kr/user.do?boardId=1113&page=A05030000&dc=K00000001&boardSeq=42370&mode=view (29 April 2016, accessed 30 May 2016) (in Korean)
 James Lim, South Korea Releases Right to Be Forgotten Guidance, Bloomberg BNA (May 9, 2016), at http://www.bna.com/south-koreareleases-n57982070847/(accessed May 30, 2016)
 See Webb v. Privacy Commissioner for Personal Data, Administrative Appeals Board decision no. 54/2014 (October 27, 2015), at https://www. pcpd.org.hk/english/enforcement/decisions/files/AAB_54_2014.pdf (accessed May 30,
 id, para. 45, pp. 24-25
 Abhinav Garg, Delhi banker seeks ‘right to be forgotten’ online, The Times of India (May 1, 2016), at http://timesofindia.indiatimes.com/india/Delhi-banker-seeks-right-to-beforgotten-online/articleshow/52060003.cms (accessed May 30, 2016)
 See First Intermediate People’s Court, case of Ren Jiayu v. Baidu Online Network Technology (Beijing) Co., Ltd., Yi Zhong Min Zhong Zi no. 9558 (25 December 2015) (in Chinese). See also Nathan Jubb, Chinese Have No Right to Be Forgotten, Court Rules, Sixth Tone (May 6, 2016), at http://www.sixthtone.com/news/chinese-have-no-right-beforgotten-court-rules (accessed May 30, 2016)
 Freedom of Expression is recognized in almost every human rights instruments, namely in Article 19 of Universal Declaration of Human Rights, Article 19 of International Covenant on Civil and Political Rights and Article 10 of European Convention on Human Rights
 See also Article 19, The “Right to be Forgotten”: Remembering Freedom of Expression, online at https://www.article19.org/data/files/The_right_to_be_forgotten_A5_EHH_ HYPERLINKS.pdf (accessed May 30, 2016)