Article 17 of the General Data Protection Regulation (GDPR), known as the Right to Erasure, affords data subjects the right to have their personal data erased by a data controller.
The text of Article 17 specifically states:
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”
The Right to Erasure does not exist as an absolute right and consideration must be paid to other overriding obligations, such as the right to freedom of expression or other legal/regulatory requirements.
When dealing with a Right to Erasure request, organisations have the difficult task of balancing the fundamental rights and freedoms of data subjects, against the aforementioned overriding obligations of which they are subject to. Better understanding the history and jurisprudence behind the Right to Erasure can assist when faced such with difficult decisions. This can be done by examining how the law was developed in the European courts prior to the implementation of the GDPR.
The Right to be Forgotten and Case C-131/12
The Right to Erasure is not a new concept introduced with the GDPR, however it does represent the first time such a right has been fully codified into legislation. Prior to the GDPR, Article 12 of Directive 95/46/EC (The Directive) simply stated that data subjects had the right to request their personal data be erased once that personal data was no longer necessary for processing.
It was only until the now well-publicised Case C-131/12 Google Spain v AEPD (Agencia Española de Protección de Datos – The National Data Protection Authority for Spain) and Mario Costeja González – The “Google Right to be Forgotten” case that we start to see the foundation being laid for the law we know today.
This case concerned the Spanish citizen Mario Costeja González, who in 2010 brought a complaint to the Spanish Data Protection Authority against a Spanish newspaper, Google Spain and Google Inc. regarding search results of his name still returning an auction notice circulated in 1998 about the repossession of his home, despite this now being long resolved. Mr González requested that the newspaper remove articles about him, or that either Google Spain or Google Inc. remove personal data relating to him from the auction notices, so his name no longer appeared in the search results.
Referring the case to the Court of Justice of the European Union (CJEU), the Spanish courts posed 3 questions:
- Did Article 12 of Directive 95/46/EC apply to search engines like Google?
- Did Directive 96/46/EC apply to Google Spain, despite personal data was processed in the United States?
- Does an individual have the right to request that their data be removed from the listings of a search engine?
In May of 2014 and after much deliberation, the CJEU stated in its response to the three questions posed by the Spanish courts when it handed down its decision. Namely, it said:
- Even if the geographical location of a server was located outside the EU, EU rules still apply to companies that operate search engines if they have a presence (i.e. a subsidiary) in a Member State.
- Search engine operators are considered controllers of personal data, therefore cannot escape their obligations to EU data protection law by claiming that they only aggregate data.
- Individuals have the right, under specified circumstances, to request search engines remove information. This is when information held is inaccurate, inadequate, irrelevant or excessive to the purposes of the original processing. This right is not absolute and must be assessed by the data controller on a case-by-case basis against other fundamental freedoms such as the freedom of expression.
This decision came somewhat of a surprise as it went well beyond the original questions put forward by the Spanish Courts. However, with the benefit of hindsight, we can now see that this would go on to form the basis for Article 17 of the GDPR, which applies today.
Point three of the CJEU’s decision is the most important one to bear in mind when handling Article 17 Right to Erasure requests. The court was very clear that such a right is subject to strict limitations aimed at preserving other fundamental rights and freedom of the press, freedom of speech and freedom of expression. This has now been directly translated into the GDPR to form part of Article 17(3), which provides the grounds for which an erasure request can be legitimately refused.
Understanding how the current regulatory obligations have been shaped can offer organisations a particular advantage if tasked with a difficult Right to Erasure request. An appreciation of how the law has historically developed in this area can be integral to the development of your organisation’s strategy when handling right to erasure requests. Historical knowledge can be further supplemented by more up-to-date reading, including the EDPB’s recently published draft guidelines (5/2019) on the right to be forgotten and search engines. (Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR- Part 1.)
Should you have any questions on either the Article 17 Right to Erasure, Chapter III data subject rights or any other issues related to data protection please feel free to get in contact with a member of Trilateral Research’s DCS team.