Lade Inhalt...

The Right to be Forgotten in the European Human Rights Regime

Seminararbeit 2014 26 Seiten

Politik - Internationale Politik - Thema: Völkerrecht und Menschenrechte

Leseprobe

Table of Content

1. Introduction

2. Historical Background
2.1 Right to Oblivion
2.2 Right to Privacy and Self-Determination

3. Legal Foundations
3.1 European Union
3.2 Council of Europe

4. Choosen Cases
4.1 Times v. The United Kingdom (ECtHR, 2009)
4.2 Google Inc. v. AEPD/Mario Costeja González (ECJ, 2014)

5. Critical Issues
5.1 Freedom of Expression
5.2 Right to Information
5.3 Right to Remember

6. Data Controllers

7. Technical Challenges

8. Conclusion

9. Bibliography

1. Introduction

A recent judgement[1] by the European Court of Justice has stirred up heated debates among supporters and opponents of the newly introduced right to be forgotten. At the core of the discussion is the question how to balance privacy rights against the right to freedom of expression in the digital age. The following paper considers arguments by both factions, to identify, critically discuss or reject potential harms evolving from the current concept of the right to be forgotten

While supporters of the Court's decision, such as Viviane Reding, who is Justice Commissioner of the European Union (EU), are convinced that the ruling is a step forward in personal data protection, others believe that "only the powerful will benefit"[2] from the new right and that it weakens "our democratic foundations"[3] and leads to a dangerous rewriting of history.

The following paper, which was drafted within the framework of the Vienna Human Rights Master Program, is structured in six chapters, which deal with various historical, legal and technical aspects of the right to be forgotten. The first part will place the right to be forgotten within its historical context and trace its roots within the notion of the right to oblivion, to gain a better understanding of its legal descent. The second chapter will provide a brief overview about the legal documents, which govern the European Data Protection policy with emphasis on the current and future system of the European Union. The third chapter outlines specific cases, which were incisive for the development of the scope and enforcement of the right to be forgotten. The fourth part of this essay will critically discuss possible interferences of the right to be forgotten with other human rights such as the right to freedom of expression, the right to remember and the right to information. Afterwards the paper will take account of the controversial role of data controllers, such as the search engine Google, and briefly discuss its role within the legal context. Finally the paper will bring the reader's attention to the technical difficulties, which surround the right to be forgotten.

2. Historical Background

Before discussing the status quo of the right to be forgotten within the European context and to reply to the heated discussions, whether the European Commission proposed something entirely new in its Data Protection Regulation of 2012, it is suitable to trace the historical roots of the right to be forgotten. Europe has a long tradition of privacy rights, which already manifested 60 years ago e.g. in the European Convention of Human Rights, enshrined in Article 8, which explicitly introduced the right to respect for private and family life.[4]

Historically the right to be forgotten is derived from the need "of an individual to determine the development of his life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past."[5] The concept of the right to be forgotten, according to Hoboken, is nothing new, especially under consideration of national legal norms of the Member States of the European Union.[6]

2.1 Right to Oblivion

Historically the right to be forgotten is fundamentally connected with the droit á l’oubli (right to oblivion), which has its "rationale in privacy as a [...] fundamental right (related to human dignity, reputation etc.)."[7] Two divergent versions of the right can be encountered through legal history: (1) First the right to oblivion found its application in the context of criminal convictions, exacting when criminals, who had served their sentences, claimed they do not want to be associated with their criminal past any longer. In this context the "public’s right to access the information, which may or may not remain newsworthy"[8] had to be balanced with the individual's privacy rights. Concerning this matter the right is based on the assumption that the human being can change. (2) The second version of the right to oblivion is more precisely a right to erasure, because it grants the individual the right that data, which was disclosed passively, is deleted.[9]

National Data Protection Agencies in Spain, Germany, France and Italy had a considerable impact on the development of the right to be forgotten and deserve to be mentioned, especially as they inspired and heavily influenced the course, sometimes even the wording, the European Commission employs today.

The French Data Protection Agency, Commission nationale de l'informatique et des libertés (CNIL), was the first to recognise the right to be forgotten and subsequently stated that personal data must be "processed fairly and lawfully and collected for specified, explicit, and legitimate purposes."[10]

The Bundesdatenschutzgesetz 1977 (Germany) and the Loi relative a l’informatique, aux fichiers et aux libertés 1978 (France) both contained clauses that stipulated for the right to erasure at an early stage long before today's digital challenges emerged:

"Section 4: every data subject has the right to: […] (4) erasure of stored data concerning him where such storage was inadmissible or - as an option to the right of blocking of data - where the original requirements for storage no longer apply."[11]

"Article 36: if personal data are inaccurate, incomplete, ambiguous or out of date, or if collection, use, disclosure to third parties or storage are prohibited, the data subject may have the data amended, supplemented, clarified, brought up to date or destroyed/erased (effacer). Article 38: the data user must inform third parties to whom the personal data were supplied that the data has since been corrected or destroyed"[12]

The Italian Data Protection Agency, Garante per la Protezione dei Dati Personali (GPDP), found that, based on Article 11 of the Italian Data Protection Law, the right to be forgotten inherits the right to "cancel personal data when it is no longer useful for the purpose it was processed"[13] and the Spanish Data Protection Agency, Agencia Española de Protección de Datos (AEPD) recently declared that individuals have both, "the right to delete personal data published without the data owner's consent and the right to object to data processing performed by search engines."[14]

2.2 Right to Privacy and Self-Determination

Ambrose and Ausloos assert that the consequences of today's data processing and data dissemination are completely unpredictable, due to the fact that the harms caused are often related to societal and psychological issues. Furthermore they are unforeseeable because their impact often only reveals itself after a series of reactions. The most problematic aspect about the issue is that, despite the fact that individuals may be aware of these unpredictable consequences, there is no major change in their behaviour. Our search history, our shopping habits, our sexual preferences, and even our emotions - e.g. Facebook recently introduced the possibility to express one's mood in a Status update - "can be harvested"[15] to an extend that is hardly imaginable.[16]

In this context the right to be forgotten has been strongly attached to notions of privacy and self-determination. The right refers to "individual autonomy, the capacity to make choices, to take informed decisions, in other words to keep control over different aspects of one's life."[17] Accordingly Terwangne connects the right to be forgotten to informational self-determination which "means the control over one's personal information, the individual's right to decide which information about themselves will be disclosed, to whom and for what purpose."[18]

3. Legal Foundations

Before outlining the Legal Foundations of the European Data Protection Policy with special emphasis on the right to be forgotten it is worthy to mention that there "exist no global, legally binding instruments relating to data protection." [19] However, the EU Data Protection Directive 95/46/EC inhabits a special status worldwide since it is the most comprehensive protective regime available. [20] Despite that the European model cannot provide a global answer e.g. with regards to the U.S. perspective, "where freedom of speech, including communications, would be weighed much more heavily against privacy concerns, as national legislation and precedent at the Supreme Court demonstrates." [21]

3.1 European Union

The most important legal act which governs the current European data protection regime is the Data Protection Directive 95/46/EC issued by the European Parliament and the European Commission on 24 October 1995.[22] Despite the fact that the contemporary European legal framework does not explicitly mention a right to be forgotten, several provisions can be interpreted as "diluted right to be forgotten provisions."[23] Accordingly Article 6(1)(e) of the Directive provides that personal data can be stored "for no longer than is necessary for the purposes for which the data were collected or for which they are further processed."[24] However, Article 7 of the Directive, which states that "data may be processed only if (a) the data subject has unambiguously given his consent", does not provide for any kind of follow up about what happens, if the data subject withdraws his/her consent. Therefore it is not surprising that in the Internet personal data is still processed and stored for unlimited lengths and millions of different purposes.[25]

The most striking articles, which could be attached to the right to be forgotten in the current Directive are 12(b) and 14. The first provides each data subject the right to "obtain from the controller the rectification, erasure or blocking of data"[26] but only if the processing "does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data."[27] Article 14 grants a general right to object to the data subject but is also limited in its scope, because Member States only have to concede the right to object on "compelling legitimate grounds [...]."[28] Based on the Articles outlined above, the Commission rejects all claims, that it proposed something fundamentally new.[29]

On 25 January 2012 the Commission of the European Union proposed a comprehensive overhaul of the principles enshrined in the Directive 95/46/EC in order to strengthen fundamental online privacy rights of natural persons. Accordingly Viviane Reding, the EC Vice-President outlined the main pillars of the new Data Protection Regulation in a Speech in March 2012:[30]

(1) One continent, one law: The regulation aims to establish a "single pan-European law"[31] for Data Protection, to avoid the inconsistency of current national legislation. Effective Sanctions shall be implemented that enable national data protection authorities to enforce fines up to 5% of the annual worldwide turnover of a company.[32]

(2) Territorial Scope: When non-European companies operate on the European market and offer services to European consumers they are obliged to respect the European Data Protection law. The logic behind it is "if companies outside Europe want to take advantage of the European market [...], they have to play by European rules."[33]

(3) The third pillar is constituted by the right to be forgotten, arguably (cf. 4.2) based on pre-existing data protection rules of the Directive 95/46/EC. The right to be forgotten aims to protect the privacy of the data of EU Citizens, especially teenagers, "to be in control of their own identity online."[34]

(4) The fourth and last pillar of is a "One-stop-shop" aims to simplify the complaint mechanism against companies with branches in several Member States. Therefore companies will only have to deal with one interlocutor e.g. a single national data protection authority. This pillar also empowers citizens, who only have to refer to the authority in their member state.

Furthermore the new Data Protection Regulation as proposed is reversing the burden of proof. Accordingly it is "for the company - and not the individual - to prove that the data cannot be deleted because it is still needed or is still relevant."[35] Beside that the data controller has the obligation to take 'reasonable steps' to apprise third parties of the fact an individual wants the personal data to be deleted.[36]

3.2 Council of Europe

The Council of Europe's Committee of Experts on data protection (CJ-PD) discussed the right to be forgotten in the context of data being collected through automated communication processes in the 1980s and came to the conclusion that the data obtained should be deleted after a certain time.[37] In another report of 1990 the CoE CJ-PD anticipated the ongoing discussion, whereas the right to be forgotten could be an attempt to rewrite history.[38] Especially with regards to criminal proceedings and reintegration in 2003 the Committee of Ministers issued the "Declaration and Recommendation on the provision of information through the media in relation to criminal proceedings"[39], emphasising that a balance has to be found between the right to private life (Article 8 ECHR) and freedom of expression (Article 10 ECHR). To further gain an understanding how the Council of Europe resolves this balancing act a case will be discussed within the following section of this paper.

4. Choosen Cases

4.1 Times v. The United Kingdom (ECtHR, 2009)

In 2009 the European Court of Human Rights (ECtHR) decided on the case of Times v. UK, which dealt with defamatory lawsuits and freedom of media. In its judgement the ECtHR "for the first time qualified the importance of the Internet for the promotion of the values protected by Article 10 ECHR."[40] The Court claimed that, due to the important role the internet plays "in enhancing the public's access to news and facilitating the dissemination of information [...]"[41], the Court considers, that Internet Archives "fall within the ambit of the protection afforded by Article 10."[42] The case introduced the so called 'Internet publication rule', which protects the media against claims in relation to older publications:

“[The Court] observes that the introduction of limitation periods for libel actions is intended to ensure that those who are defamed move quickly to protect their reputations in order that newspapers sued for libel are able to defend claims unhindered by the passage of time [...]. In determining the length of any limitation period, the protection of the right to freedom of expression enjoyed by the press should be balanced against the rights of individuals to protect their reputations and, where necessary, to have access to a court in order to do so."[43]

The reasoning behind the judgement can be summarized that "after some time media should not have to fear for litigation with respect to the legality of their publications."[44] Interestingly the decision of the ECtHR is in contradiction to a recent ECJ ruling, which will be discussed in the following chapter. While for the ECtHR the right to freedom of expression and freedom of media, after a certain period of time has passed, seems to prevail over privacy rights, the ECJ does opposite stating that "no longer relevant" information has to be deleted by the data controller.

"Clearly, this is precisely the opposite logic as underlying the right to be forgotten in data protection, as applied to online publications. In the latter case, the 'older' the publication becomes the less reason there is for it to stay online, at some point giving rise to the possibility exercise the right to be forgotten."[45]

4.2 Google Inc. v. AEPD/Mario Costeja González (ECJ, 2014)

In 2010 the Spanish citizen (Mario Costeja González) lodged a complaint with the Spanish national data protection agency (AEPD) against the newspaper La Vanguardia Ediciones SL (La Vanguarida) and Google Spain and Google Inc. The claimant argued that an auction notice of his repossessed home accessible online on two pages of La Vanguardia and searchable through Google Search Indices interfered with his privacy rights because the proceedings against him dating back to 1998 already had been fully resolved.[46] In his request he urged on the newspaper to alter or remove the pages which contain his personal data, hence it could no longer be related to him and requested that Google Spain and Google Inc. removes the personal data which related to him in search results. AEPD dismissed the claim regarding La Vanguardia because the information had been legally published, but upheld the second complaint based on the fact that search engines are subject to data protection law.[47] Google, arguing that the decisions of the AEPD would have a repulsive effect on freedom of expression without strengthening privacy rights,[48] appealed the decision to the Audenica National (Spanish National High Court), which directed the case to the European Court of Justice (ECJ) to gain a preliminary ruling, whether if Google, under the current Data Protection Directive 95/46/EC and Articles 7 and 8 of the EU Charter of Fundamental rights, could be forced to erase data upon individual request.[49] In particular three categories of questions were referred to the ECJ: (1) about the Territorial Scope of the Data Protection Directive 95/46/EC, (2) about the liability of Search Engines and (3) about a general right to be forgotten.[50] Strikingly and fairly uncommon the decision of the Court strongly differed from the Conclusions[51] drawn by the Advocate General at the European Court of Justice Niilo Jääskinen on 25 June 2013.[52] Jääskinen argued against the de-indexation of the content related to the Spanish citizen, based on several assumptions: Emphasizing the importance of freedom of information, speech and media, in his opinion, the Directive (3) does not provide for a general right to be forgotten and furthermore Google cannot be considered (2) "a data controller of data available on third parties websites [La Vanguardia] as it does not control the content of these websites."[53] Contrary to this findings the ECJ stated that the Search Engine of Google meets the criteria of being a Data Controller because its activity consists of "retrieving, recording and organizing personal data which it stores on its servers and, as the case may be, discloses the data to its users in the form of lists of results."[54] Furthermore Google is considered a data controller by the Court "in relation to the processing of the data by the search engine."[55] Therefore in the preliminary ruling of 13 May 2014 the ECJ issued a ruling with the following findings:

[...]


[1] Google Spain v AEPD and Mario Costeja González (ECJ, 2014).

[2] Stephens, Mark: Only the powerful will benefit from 'the right to be forgotten'. available at http://www.theguardian.com/commentisfree/2014/may/18/powerful-benefit-right-to-be-forgotten (consulted on 18.5.2014).

[3] idem.

[4] Cf. Ambrose & Ausloos, 2013, p. 6.

[5] Mantelero, 2013, p. 230.

[6] Cf. Hoboken, 2013, p. 2.

[7] supra note 4, p. 2.

[8] supra note 4, p. 2.

[9] Cf. idem, p. 2.

[10] Castellano, 2012, p. 2.

[11] Bundesdatenschutzgesetz, Gesetz zum Schutz vor Mißbrauch personenbezogener Daten bei der Datenverarbeitung, 1977, available at http://www.bfdi.bund.de/bfdi_wiki/index.php/BDSG_1977 (consulted on 1.5.2014)

[12] Loi relative a l’informatique, aux fichiers et aux libertés, 1978, available at http://www.cnil.fr/documentation/textes-fondateurs/loi78-17/ (consulted on 1.6.2014)

[13] supra note 10, p. 2.

[14] idem, p. 1.

[15] supra note 4, p. 4.

[16] idem, p. 4.

[17] Terwangne, 2012, p. 110

[18] idem, p. 110.

[19] idem, p. 114.

[20] idem, p. 114

[21] Sidley Austin LLP, 2014, available at http://www.sidley.com/European-Court-of-Justice-Finds-Right-to-be-Forgotten-and-Compels-Google-to-Remove-Links-to-Lawful-Information-05-19-2014/ (consulted on 11.6.2014)

[22] Cf. Smętek & Warso, The right to be forgotten - step in the right direction?, available at http://www.europapraw.org/files/2012/10/The-right-to-be-forgotten-%E2%80%93-step-in-the-right-direction.pdf (consulted on 7.6.2014)

[23] supra note 4, p. 7.

[24] Directive 95/46/EC, 24 October 1995, Art. 6(e).

[25] supra note 4, p. 7.

[26] supra note 24, Art. 12(b).

[27] idem, Art. 12(b).

[28] idem, Art. 14(a).

[29] Cf. European Commission, Factsheet on the right to be forgotten ruling (C-131/12), available at http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf (consulted on 4.6.2014).

[30] Cf. Reding, SPEECH/20/200, 20 March 2012.

[31] European Commission, MEMO/13/923, 22 October 2013.

[32] Cf. idem.

[33] idem.

[34] idem.

[35] supra note 29.

[36] idem.

[37] Cf. CDCJ, Strasbourg 1989, p. 11.

[38] Cf. CDCJ, Strasbourg 1990, point 11.

[39] Council of Europe, 10 July 2003, available at https://wcd.coe.int/ViewDoc.jsp?id=51355 (consulted on 11.6.2014).

[40] supra note 6, p. 24.

[41] Times v United Kingdom, ECtHR 2009, para. 27, available at http://hudoc.echr.coe.int/sites/eng/pages/search.aspx?i=001-91706#{%22itemid%22:[%22001-91706%22]} (consulted on 10.6.2014)

[42] idem.

[43] idem, para. 46.

[44] supra note 6, p. 24.

[45] idem, p. 25.

[46] supra note 29, p. 1.

[47] Cf. Ashurst London, 2014, p. 1.

[48] Cf. Flock, 20 April 2011, available at http://www.washingtonpost.com/blogs/blogpost/post/should-we-have-a-right-to-be-forgotten-online/2011/04/20/AF2iOPCE_blog.html (consulted on 10.6.2014)

[49] Cf. supra note 47, p. 1.

[50] Cf. Weiss, 1 August 2013, available at http://www.dmlp.org/blog/2013/cjeu-advocate-general-finds-no-right-be-forgotten-search-engines-under-eu-law (consulted on 12.6.2014)

[51] Cf. Jääskinen, 25 June 2013, available at http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30d509851199819d4d939959bbac0ed77703.e34KaxiLc3qMb40Rch0SaxuNbh90?text=&docid=138782&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=28029 (consulted on 11.6.2014)

[52] Cf. Martin & Ramos, 2014, available at http://www.singaporelawwatch.sg/slw/attachments/42063/1405-01%20Privacy.pdf (consulted on 13.6.2014)

[53] Retzer et al, May 2014, available at http://www.mofo.com/~/media/Files/ClientAlert/140514EURighttoBeForgotten.pdf (consulted on 13.6.2014)

[54] idem.

[55] idem.

Autor

Teilen

Zurück

Titel: The Right to be Forgotten in the European Human Rights Regime