It is now common practice when you want to find out more about a person, to enter that person’s name into search engines such as Google, Bing or Eloisa. However, this research may violate privacy. In the past, the data subject may have disclose or allow to be disclose information about their private life on the Internet that they cannot or can no longer bear. There are many reputable agencies that track down this unwanted information. In our increasingly digital world, the right to be forgot has become essential and enshrine at EU level to protect EU citizens’ personal data.
What is the right to be forgot? definition
The right to be forgot is also known as the right to be forgotten process (see Article 17 of Regulation (EU) 2016/679, know as the General Data Protection Regulation). This right enables an individual to request the deletion of online information concerning them .
Two form of this right can often be distinguish: the right to de-listing and the right to deletion (in the narrower sense):
The right to delist allows an individual to request a search engine to remove certain search results associated with their first and last name . Delisting does not mean removal of information on the website, which remains available. The deletion of search results by the search engine is therefore possible independently of a potential removal of the information on the website on which it was publish.
The right to erasure (in the narrower sense), on the other hand, entitles a person to request the operator of a website to erase their own personal data if there is no longer a legitimate reason for storing it .
When did the right to be forgot arise?
The right to be forgot was introduce at European level by the Google Spain v. AEPD and Costeja Gonzales judgment of 05/13/2014. In this judgment, the Court of Justice of the European Union (CJEU) stated that the operator of a search engine is, under certain conditions, ” obliged to remove from the list of results displayed following a search based on a person’s name links to third-party websites to remove published websites with information about this person ”. This decision now allows European residents to request the removal of links leading to personally identifiable information where there is a legitimate reason.
According to the Court of Justice, such a deletion is mandatory for the operator of a search engine if “these rights [override] in principle not only over the economic interests of the operator of the search engine, but also over the interest of the general public in having access to the information in the case of a Search conducted on behalf of the data subject.”
The court emphasized that this obligation can exist even if the publication of the relevant information on the website is lawful.
What is the current European legal basis for the right to be forgot?
The right to be forgot is now enshrine in the General Data Protection Regulation (GDPR), which came into force on May 25th, 2018. This text significantly extend the scope of protection for Internet user provided by French law in the French Data Protection Act (No. 78-17 of 06/01/1978). Article 17 of the GDPR specify the condition under which the control is oblige to erase certain personal data. It also sets the limit of the gdpr case studies.