A discussion of the GDPR’s somewhat confusingly named ‘right to be forgotten’
For the last few months, there’s been a lot of discussion of the forthcoming changes to data protection law – out with the much-maligned Data Protection Act, in with the shiny new General Data Protection Regulation (GDPR). One part of the new law which particularly concerns us is the ‘right to erasure’. This isn’t a right to cheesy disco classics (that would make privacy law a whole lot more fun!) but the so-called ‘right to be forgotten’. To be fair, it genuinely is subtitled the ‘right to be forgotten’, but we say ‘so-called’ because we’re concerned it’s hardly a ‘right’ (it’s hedged about with a bunch of qualifications and caveats and is subject to a number of important judgment calls) nor is it really about being forgotten, at least not entirely.
It all started when one Mario Costeja González got upset at constant references on Spanish Google (google.es) to his historic bankruptcy and the consequent repossession of his house. This continued to be one of the most significant results thrown up by a search for Sr González’s name, even a decade later. He sued Google all the way to the European Court of Justice, which decided that Google was mis-processing his data. Although the story of his bankruptcy was accurate and factual, it was no longer current or relevant enough to deserve such prominence and, while it did not have to be deleted from electronic news archives, Google was told to ‘delist’ it so it would not be revealed following a simple search for Sr González’s name.
Already you can see the problems such a decision throws up – how to settle the conflicting rights of freedom of expression, of privacy, of journalistic integrity? When does one’s man honest desire to be given a break become a chance to airbrush history to suit a particular agenda? Although lawmakers conjured this new right into being, it’s now hardwired into the GDPR (Article 17, since you ask) but enforcement has effectively been delegated to private organisations like Google which have concerns and interests of their own. And while the GDPR imposes an obligation on individual states to reconcile this right with other rights to freedom of expression and information, it’s a rather off-hand reference and we’re still waiting for details of exactly how the UK or anywhere else will achieve this. We’ve tried to discover a little something to make it clearer (or maybe more plain) but it’s breaking our hearts!
In the meantime, we’re worried that individuals will be beguiled by the apparent bluntness of the right (and so find themselves disappointed, more often than not), or be tempted to misuse it to edit the public record to their convenience. Since 2014, Google alone has received 400,000 requests in Europe to delist some 2.4 million references. Fewer than half of these have been granted, and some were outright fraudulent; one convicted benefits cheat tried to get his offences delisted by forging ‘proof’ of his innocence! One of the problems with the current Data Protection Act is that it has become widely misunderstood, mistrusted and misapplied. The GDPR is supposed to be a fresh start, aiming to achieve popular engagement and support, but there’s a danger it will go down the same route if Joe and Joanna Public see it as failing to deliver on its (over)promises or as being a tool only of rich, vested interests.
While we’re thinking about it, one somewhat nonsensical consequence of the right to be forgotten is that businesses will find themselves having to take active steps to remember who they’ve had to forget, just in case they need to remind themselves who they’ve forgotten or prove to others what they no longer know! Ooh, sometimes, the truth is harder than Spain implied.