The Court of Justice of the European Union’s recognition of a right to obtain the removal of one’s personal data displayed in search engine results (Case C-131/12, Google Spain, EU:C:2014:317) has opened policy discussions on the conditions under which individuals’ data are to be deleted by data controllers. Those discussions culminated in Article 17 of the new General Data Protection Regulation 2016/679 (GDPR) explicitly stating that every data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay. That right is not unconditional, as only data no longer necessary or unlawfully collected can be subject to such a request. In addition, to the extent that processing is necessary in the public interest, the right cannot be invoked.
Despite its explicit recognition, the exact scope of the right to be forgotten cannot be derived clearly from the wording of Article 17 GDPR. Indeed, even a superficial reading of that provision immediately allows two different interpretations of this right to be distinguished. On the one hand, a right to be forgotten could be read only to incorporate an entitlement to a simple erasure, i.e. the mere technical delisting of data from being displayed in search results or databases. On the other hand, a more fundamental obligation to ensure the permanent removal of one’s data, a so-called “oblivion” approach could equally be envisaged in this context. Throughout the GDPR, references to both approaches can be detected simultaneously.
The erasure approach
Arguing in favour of the mere erasure approach, one could argue that the provision only speaks about the erasure of data. As such, it does not seem to impose the permanent removal of those data from the controller’s processing systems. At the same time, however, Recital 65 GDPR would seem to imply that further retention of the data should be made impossible when a successful request for erasure is made. In the same way, the GDPR demands that “a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data” (recital 66). As such, the Regulation could equally be read as calling for a more extensive oblivion approach.
The lack of clarity regarding the scope of Article 17 is likely to raise practical problems from the point of view of data controllers called upon to implement it in their day-to-day business practices. When called upon to apply Article 17, erasure and oblivion approaches would entail different compliance obligations for those businesses.
On the one hand, an erasure approach would merely require from data controllers to have at their disposal tools ensuring that, upon request of an individual, the latter’s personal data are no longer displayed. Those data could still be stored and remain on the servers of the data controller in principle for any potential future – and permitted – use or may even have to be retained for law enforcement purposes in the context of applicable and valid data retention regulation.
The oblivion approach
On the other hand, an oblivion approach would seem to oblige data controllers permanently to remove personal data from their servers, rather than making them inaccessible. This approach presupposes that, at the request of a data subject, all relevant data are permanently removed and that technological tools have to be in place to make this happen. In that case, EU law would require an individual’s commercial transaction history to be deleted entirely and permanently from an online selling platform or any other data controller. In the same way, robots or robotic devises in personal homes, which register data, could be requested to have a feature to delete all private or personal data registered as side-effects of their day-to-day activities. To the extent that oblivion would be the approach preferred, businesses would or could have to put in practice means automatically and ex ante to remove irrelevant personal data from their data storages in order to comply with Article 17 GDPR. At present, it is unclear, however, to what extent such a pro-active data removal strategy is even compatible with EU and Member States’ data protection and retention regulation frameworks.
One could even speculate, in this respect, that the nature of the data controller may justify the imposition of different right to be forgotten obligations on different controllers. As such, an erasure approach is considered more feasible in certain sectors such as search engines, whereas an oblivion approach is preferable in others such as in the context of robots interacting with humans. The GDPR refrains from even hinting at the pertinence of such a distinction.
The need for clarification
In light of the foregoing uncertainty about the exact scope of Article 17 GDPR and the differing compliance consequences different interpretations of that provision entail, an interpretative communication bringing clarity regarding the scope of that provision and concrete steps to be taken for its implementation would be more than welcome. Preferably authored by the European Commission or the Working Party of Member States’ data protection authorities, the communication would have to offer concrete guidance to data controllers confronted with right to be forgotten claims. If chosen as a policy option, I would even recommend the communication to make a distinction between different types of data controllers and reflect on specifically tailored “erasure” or “oblivion” steps to be taken by them depending on their particular activities. In doing so, more specific “right to be forgotten” compliance steps could be crafted in relation to specific data protection activities engaged in by different controllers, which could help better to understand and apply the right to be forgotten as envisaged by Article 17 GDPR. In order to avoid the right to be forgotten becoming a toothless monster when the GDPR will come to apply in May 2018, now would be a good time to take such action.
Pieter Van Cleynenbreugel est professeur de droit européen à la Faculté de Droit, de Science Politique et de Criminologie de l’Université de Liège et co-directeur du Liège Competition and Innovation Institute (LCII). Il y enseigne le droit matériel de l’Union européenne ainsi que plusieurs cours spécialisés. Titulaire d’un doctorat en sciences juridiques de la KU Leuven et d’un master complémentaire en droit économique de l’Université de Harvard, ses recherches portent sur le marché unique numérique, le droit européen de la concurrence et le droit administratif européen.