In Greek Mythology the river “Lethe” has a significant standing. Lethe was the underworld river of oblivion. A mere drop from the river can make someone begin to forget their whole identity. In today’s social media world where nearly every life is lived online, data protection legislations also enables and defines the right to be forgotten as not a myth but a real designated right to every individual.
General Data Protection Regulation (GDPR)
Scope of GDPR
Sanctions in GDPR
Right to Be Forgotten vs. Freedom of Expression
Turkish Data Protection Law (TDPL)
Sanctions in TDPL
Right for privacy or private life arose in the European continent with the European Convention on Human Rights in 1950, with Article 8 for Right to respect for private and family life. With the improvements in technology and data transfers; Data Privacy rights have emerged under the right for privacy as a new evolving issue which deals with utilizing data while protecting individual's’ privacy preferences and their personally identifiable information.
The European Commission has dedicated immense time and effort into creating a legislation that boasts a solid protection of personal data against potential violations, while imposing precautions in order to ensure the protection of fundamental rights. Since the Directive 95/46/EC (Directive), the main objective of all legislation pertaining to the protection of personal data, has been a struggle of balancing fundamental rights against rights depending on the circulation of information. In doing so, they’ve introduced preventative measures for foreseeable violations. The current General Data Protection Regulation (GDPR) and the Turkish Data Protection Law (TDPL) are established on identical principles. Granted that the implementation and practicality of all legislations differ once reviewed in depth. The right to be forgotten exists among these laws but the extent of the application of the right varies.
The GDPR, published in April 2016 and effective from May 2018, provides a right to erasure of personal data. Although, the Directive had already laid down the right to be forgotten as a principle, the GDPR, undoubtedly, has given the principle flesh and bones. According to Article 17 (1) of the GDPR, ‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay’. The article continues with a list of specific circumstances for when the data subject can invoke his or her right. These include; if the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or if the data subject withdraws consent on which the processing is based.
It is predominantly clear that the GDPR has provided a profound groundwork for how the right to erasure can be exercised. The rights of the data subject have been guarded against potential problems arising after the data has been obtained.
Article 17 (2) of the GDPR specifies that the data controller who has made the personal data public, should take reasonable steps, including technical measures to erase the data upon request of the data subject. Ergo, if the data subject has been granted the right to erasure under Article 17 (1), the data controller should do everything, including notifying all involved controllers, to make sure the data is erased from all sources along with ‘any links to, or copy or replication of, those personal data’.
The GDPR has a universal application. According to Article 3, the territorial scope of GDPR goes as far as to include ‘the processing of personal data in context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not’. According to the scope of the GDPR, companies established outside the EU will still be bound by GDPR, granted that they offer goods or services, irrespective of whether the data subjects are required to make a payment or not, to EU member citizens. Article 3 has set the foundation for multinational intervention on personal data violations. Google, as a data controller, has already been abiding by Article 12 of the Directive 95/46/EC and removing personal data content accordingly. With GDPR, search engines are once again the most prominent party to all disputes. Additionally, companies who process personal data of data subjects who are citizens of EU Member States for marketing purposes also have to abide by the GDPR.
The companies who fail to secure the rights of the data subjects and violate their rights will face costly charges. As outlined in Article 83 (4) of the GDPR, if the cause of the infringement, or in other words non-compliance, is found to be regarding the controller or the processor, the certification body or monitoring body, the administrative fine could be up to 10,000,000 EUR or 2% of worldwide turnover. Similarly, according to paragraph (5) of the same Article, Data protection authorities will have the right to impose fines of up to 20,000,000 EUR or 4% of the annual worldwide turnover of the company, if the GDPR’s core principles are violated. These include the processing of the data, the rights of the data subject and obligations pursuant to Member State law. Additionally, The EU commission, reversed the burden of proof with the GDPR. Individuals will no longer have to prove why they need the personal data removed but instead, the companies will have to prove that the data cannot be deleted because it’s still relevant and necessary.
Discussions about how the right to erasure may undermine freedom of expression and access to information is taking place all over the globe. It has been argued that deleting certain news links about certain people, may be giving criminals a blank slate and setting them free from the burden of their past mishaps. Whether this is a positive aspect or not is a controversial topic.
In a case concerning the removal of personal data from a search engine, the European Court of Justice held that ‘the right to be forgotten is not absolute but will always need to be balanced against other rights, such as the freedom of expression and the rights of the media’. In this case (c-131/12), a Spanish lawyer, Mario Costeja Gonzales, requested that news about the foreclosure on his house be removed from the website of a local newspaper. Years had passed since the time of the hardship he had encountered, and he had eventually managed to turn his life around. However, the news about his economic adversity had remained on the internet and popped up every time he typed his name into the search engine. Now that the content of the news was irrelevant and inaccurate, Mr. Gonzales wanted the links to be removed. The court made the decision to grant Mr. Gonzales the right to erasure and ultimately laid the basis for the right to be forgotten. Ever since this decision, there have been numerous discussions about how this right will be balanced against other fundamental rights. The freedom of expression under Article 10 of the European Convention on Human Rights, isn’t an absolute right. The enforcement of this right needs to be weighed against other rights concerning the privacy of individuals. As a result, the European Court of Justice has ruled that all disputes concerning the issue of personal data erasure, should be dealt with on a case by case basis. This will allow the court to make well-balanced decisions, since they’ll be reviewing every case based on its individual merits.
Article 17 (3) of GDPR on the other hand, specifically mentions the circumstances in which Article 17 (1) and Article 17 (2) will not be enforceable. If processing of personal data is necessary for certain reasons, the data subject will not be able to invoke his or her rights identified under Article 17 (1) and 17 (2).
The reasons which override the right to erasure include the exercising of the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for achieving purposes in the public interest, scientific or historical research purposes or statistical purposes and finally for the establishment, exercise or defence of legal claims. The balance aspect of the right is defined under this paragraph. The European Council has written an evidently clear regulation which has set guidelines for the right. Both the reasons for when an individual can and reasons for when an individual can’t invoke his or her right to be forgotten are spelled out distinctly, leaving little room for confusion.
After years of debate and waiting Turkish Law on the Protection of Personal Data (no 6698 and originally named “Kişisel Verilerin Korunması Kanunu”) was published in Official Gazette in 07.04.2016.
The right to erasure, which has also been cited as the ‘right to be forgotten’ also exists in a similar manner under the TPDL. Article 7 of the law, renders it possible for the data subject to request the data controller to ‘erase’, ‘destroy’ or make the personal data ‘anonymous’. Be that as it may, the vagueness of this particular article was an invitation to potential problems arising with regards to the right. TDPL only seems to allow the invoking of this right if the reasons for processing the data have become redundant or if the data was attained unlawfully. Regardless, the right to be forgotten isn’t an absolute right and is dependent on the specific situation of the data subject and the nature of the obtained data.
In 28 October 2017, The Regulation on the Erasure, Destruction or Anonymization of Personal Data (“Regulation”) was published in the Official Gazette and this by-law entered into force on 1 January 2018. Regulation consists of a short text that involves principles of personal data storage and disposal policy for erasure, destruction and anonymization of personal data. The Regulation echoes the same principles of Article 7 of the Law, but the regulation wording does not explicitly mention “right to be forgotten”.
On 17 July 2020 the Board made a public announcement about requests of persons for the exclusion of name and surname from the searches made on the search engines index, the Board has mentioned about these requests under the right to be forgotten and added that:
- Right to be forgotten is a framework concept that can be evaluated under article 20 of Turkish Constitution, article 4,7 and 11 of the Law and article 8 of the Regulation
- The requests of persons for the non-access of name and surname on the web searches is regarded as exclusion from the index
- The search engines are accepted as a Data Controller under article 3 of the Law
- The search engines activities are accepted as data processing activity
- Data subjects first need to apply to search engines for exclusion from the index requests. They then have the right to apply to the Board if the request is not fulfilled by search engines.
- The search engine companies shall define procedure and content for the persons to apply for exclusion requests.
- Upon the exclusion requests of the persons, the Board shall apply balance of rights test between the privacy right of persons and the right to access the information of public with the below 13 criteria:
o Is the data subject an important person in the eyes of the public?
o Are the search results related to a child?
o Is the content of the information true?
o Is the information related to the work life of the person?
o Does the information in the search engines involve an insult, discrediting slander?
o Is the information on the search engines deemed to be a special category of personal data?
o Is the information on the search engines updated?
o Does the information on the search engines constitute a prejudice against the person?
o Does the information on the search engines constitute a risk to the person?
o Is the information on the search engines published by the person?
o Does the original content involve data processed in the scope of journalistic activities?
o Is there a legal obligation for the data to be published?
o Does the information on the search engines relate to a penalty for a crime by the data subject?
- Upon the rejection or non-fulfilment of their exclusion requests the data subjects have the right to apply directly to court along with application to Board.
- All the procedures and merits of this announcement will be notified to the search engine companies for their actions to provide for all Turkish citizens to use their right to be forgotten.
The monetary sanctions in TDPL are significantly lower than those in GDPR. According to article 18 of TPDL, those who fail to comply with obligations related to data security (prevent unlawful processing and access) shall be required to pay an administrative fine of maximum 1,802.636 Turkish Lira (according to the update in misdemeanour law in 2020) which corresponds to approximately 230.00 EUR.
However, TPDL also gives a reference to the Turkish Criminal Code (TCC) for privacy crimes. Article 138 of TCC reads that failure to dispose of personal data is subject to two years imprisonment for the real person representatives of data controllers. Accordingly, failure to implement legit requests of data subjects for the right to be forgotten, may also be subject to TCC according to the said article.
With regard to the right to be forgotten, the GDPR and TDPL have significant differences. The European regulation entails a detailed manifestation of the right to be forgotten including how it will be implemented and under what circumstances it could be invoked. Whereas, the TDPL had substantial vagueness. With the recent announcement and the Regulation, the Turkish Board has introduced criteria and clear guidelines for the right to be forgotten. Nevertheless, for the right to be forgotten there is always a possibility to attract criticism from many specialists and journalists. The main reason why the right to be forgotten has been appraised by several sources is because it undermines the freedom of expression and the right to access information.
The GDPR and TDPL have legislated different methods as penance for when and if the personal data subject’s rights are violated. The fact that the penalties differ is bound to cause problems in the long run for companies. This situation may cause confusion regarding which of the regulations will be referred to when it comes to deciding how to punish the infringements.
Given this situation, we may argue; is the right to be forgotten ‘really’ available? Different jurisdictions such as Europe and the United States aren’t founded upon the same values. For multinational companies, the differences of Data Privacy Laws and the applicability of them triggers high risk, especially in data transfer and process applications. For Europe and Turkey, we will need further clarification on the applicability of right to be forgotten through by-laws and court rulings. In the meantime, Data Privacy Officers/Compliance Officers of multinational companies will need to consider these differences to create a robust Data Privacy compliance programme to mitigate the risks.