Privacy, Protection of our data: the right to be forgotten online versus freedom of information

-- By CarlaDULAC - 06 Oct 2019

My worries about having no say in the use of my personal data.

If we were to ask quite wealthy people from our generation if they own a smartphone, use the internet on a daily basis or have social media accounts, their answer would be yes without any hesitation. But what they and I haven't realized when using those technologies, is that we share our personal information either intentionally or unintentionally with private or public entities worldwide, that tend to violate our right to privacy by selling information without our consent to companies we haven't even heard about. Personal data are any anonymous data that can be double-checked to identify a specific individual.

Those data are precious for companies because they reveal our preferences, our likes that can be sold to other companies to increase their sell. Following this discovery, we can feel frustrated because it is something we were unaware of when we started using the internet or social media since no one explained it or talked to us about it.

One could argue it is easy to blame those companies and that it is our responsibility as individuals to react and do something. But by the time we heard about it, it was too late. We were already connected and dependent on social media, the internet. Our personal data were already used and sold everywhere in the world. Our discouragement gets bigger when we think about what to do to correct that, to make things change. One idea that emerged was to make the personal information that was gathered unlawfully disappear, be erased. One way to answer that problem was that states had to step in and protect our data.

The EU is concerned with the right to be forgotten but doesn't address the real issue.

The right to be forgotten entered the European Union privacy sphere with the 2014 judgement of the ECJ involving Google. It enabled people to demand the removal of links to information that are inaccurate, inadequate, irrelevant or excessive. This is called right to be forgotten. Then, it was implemented under article 17 of the General Data Protection Regulation (GDPR). The right to erasure grants data subjects a possibility to have their personal data deleted if they don't want them used anymore and when there is no legitimate reason for a data controller to keep it. It seemed a good way to act posteriorly and find a way to correct our past mistakes. But can we really rely on it? It did not take long before we could see the limit of this regulation.

In fact, the ECJ issued a ruling on September 25, 2019, regarding the implementation of the EU's right to be forgotten. This dispute involved Google and France's data authority (CNIL). The ruling held that CNIL can compel Google to remove links to offending material for users that are in Europe, but can't do that worldwide. We should not be shocked with the ECJ ruling,that denies all extraterritorial effect to any EU measures that want to implement the duty to forget coercively. It was foreseeable since a different ruling could have been viewed as an attempt by Europe to police an US tech giant inside US borders.

When we read through the decision, we see another underlying problem: how can right to privacy and freedom of information work together. France asked the Court to extend the right to be forgotten universally to people outside the EU. Google argued that such a ruling may result in global censorship and infringement of freedom of information rights. The real issue at stake is: can we impose on other a duty to forget?

What about freedom of information in the context of censorship ?

GDPR can be used to erase online content, whether or not that content actually violates anyone else's rights. Such a use could constitute a violation of freedom of information with is part of the fundamental right of freedom of expression.Those rights are recognised in international law, as in the article 19 of the Universal Declaration of Human rights. It is true that there are some very important concerns about data protection and privacy in face of mass collection of our data by companies, but the way "right to be forgotten" is built is not appropriate. In fact freedom of expression for the public interest is essential, even for information obtained unlawfully.

In my opinion, the right to be forgotten as designed by the GDPR is in total opposition with the freedom of expression. The right to ask search engines to de-index web pages, as well as the right of erasure, is encompassed in this legislation. What I think is problematic is that under article 17, it's data controllers (usually search engines) which are the initial adjudicators of requests. This is problematic because search engines do not own the content that the individual is asking to have removed. Editorial decisions must rest with publishers; not tech companies. A site does not have to be indexed (the process of downloading a site or a page's content to the server of the search engine, thereby adding it to its index), to be listed (showing a site in the search result pages). If the indexer decides to de-index a page, it does not remove the source content from the internet: It only mean the underlying website will not be listed in the search results. As a result, de indexing can be compared to a right to obscurity or a right to oblivion. Furthermore, it is on our behalf that states have a right to censor indexes, using deindexing orders. Once again it questions about censorship: states impose us a duty to forget those indexes. We can’t say anything. Why can’t we deal with our information the way we want? Why do we need a third part to be involved?

What should be done in order to change that? EU law isn't providing ways to effectively protect privacy and individuals often part with their information without knowing that they have surrendered some privacy. The answer to the problem is maybe to forbid the right to be forgotten, since it does more harm than good. From a physiological or neurological point of view, no one can be forced to forget. Privacy is a very important right that must be protected, but there are limits. If you did something, you did it. If something was published, it cannot be unpublished. Another argument is to know where does the right to be forgotten fit into a world that functions through blockchain which is designed precisely to record everything permanently?


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.