The saying goes that ‘the internet never forgets’, but this may no longer be true.
Many people are now claiming a ‘right to be forgotten’ – the right to force companies and search engines to scrub personal data off the internet. This has many implications, but first: where did it come from?
The González Case
Mario Costeja González discovered that information about the repossession of his home was appearing in Google searches. In 2010, he filed a complaint against Google and the Spanish newspaper which had originally published the information online.
He argued that the information infringed his privacy rights, since the repossession proceedings had been resolved years earlier, and requested that Google and the newspaper be forced to take it down.
Mr. González was successful, with the Court of Justice of the European Union recognising a limited right to be forgotten under the EU’s Data Protection Directive. This applies where the data is inaccurate, inadequate, irrelevant or excessive.
However, the court emphasised that this must be balanced against other fundamental rights, such as freedom of expression.
Where to next?
In April 2016 the European Parliament approved the EU’s General Data Protection Regulation (GDPR). This Regulation is intended to replace the Data Protection Directive and vastly improve data privacy in the EU.
Among these improvements is a reinforced right to be forgotten. Individuals will have the right to request the removal of their data in a variety of circumstances, including:
- Where the data is no longer necessary in relation to the purpose for which it was collected.
- Where the individual withdraws consent.
- Where the individual objects to the data, and there is no overriding interest in keeping it.
Importantly, a person will not have to show that they have suffered harm or distress in order to make a request that data be taken down. However, such a request can be refused in certain circumstances, for example where rights of free expression are involved.
But wait, aren’t we leaving the EU?
Indeed we are, but the GDPR will come into effect on 25 May 2018 – a full 10-months before the UK is scheduled to exit the EU. Moreover the deadline for leaving may yet be extended, and there has also been talk of a transitional agreement extending until 2021. Until the UK has formally left the EU, the GDPR and all other EU laws will be fully enforceable in the UK.
Once the UK has left, all existing EU laws (including the GDPR) will be transposed into UK law by the Great Repeal Bill. The government will then decide which laws to keep, amend or abolish.