The internet is reputed to have a memory and it is not quick to forget. Every action committed through the internet is committed to a digital record and stored online to be accessed at any moment.
In recent times, due to the invasive nature of the internet, arguments have been made that Data Subjects (persons whose data/information are being used) should be allowed to enjoy their privacy and are entitled to the right to be forgotten. This right has to be considered vis-à-vis public interest and the economic right of the publisher of the information.
Thus, for example, if there is valuable information on the Prince of Wales that is published online, can the Prince of Wales, as the Data Subject, exercise his right to be forgotten and demand that the news item be deleted?
This article will explore how the right to be forgotten can be exercised and what has to be taken into consideration by the authorities in different situations.
Scope of the Right to be Forgotten
The right to be forgotten has its origin from the case of Google Spain SL, Google Inc v. Agencia Española de Protección de Datos, Mario Costeja González (2014) and was subsequently codified in the European Union General Data Protection Regulations (“GDPR”).
In this landmark case, Mr Costeja González, a Spanish national resident in Spain, lodged a complaint before the European Court of Justice against two national dailies, Google Spain and Google Inc. He complained that upon entry of his name in the search engine of the Google group (‘Google Search’), the information associated with his name was a real-estate auction connected with attachment proceedings for the recovery of social security debts. He contended that the attachment proceedings had been fully resolved for a number of years and that reference to them was now entirely irrelevant. He therefore demanded that the offensive online information should be deleted as it was inaccurate.
While delivering its ruling, the Court considered the privacy rights of the complainant over the economic interest of Google. The Court stated that the attachment proceeding was ubiquitous as it was not only accessed by Google Spain, but also by everyone through the parent body, Google Inc. Consequently, the court made its ruling in favour of Mr Gonzalez and held that the information regarding Mr. Gonzalez and the attachment proceedings should be deleted. This decision has served as a locus classicus and reference authority on the right to be forgotten.
Application of the Right in Nigeria
In 2019, the Nigerian Data Protection Regulation (“NDPR”) was introduced and one of its highlight is the recognition of the rights of Data Subjects including the right to be forgotten.
Although there has been no case law or judicial authority in Nigeria on the right to be forgotten, the NDPR entitles a Data Subject to request the deletion of personal data. Interestingly, this right is not absolute and will only be granted in certain circumstances.
Section 3.1(9) of the NDPR provides that a Data Subject will have the right to request the deletion of his/her personal data, and the data controller is to delete the data in certain circumstances such as, where:
- the personal data is no longer necessary in relation to the purpose for which it was collected or processed. Thus, where for instance, information was collected for employment purposes and the Data Subject subsequently leaves the organisation, the ex-employee can request that certain information regarding his employment, that is no longer necessary, be deleted; or
- the Data Subject withdraws consent on which the processing is based (for instance, websites now have cookies where you can click consent or untick the consent box); or
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing (overriding legitimate grounds could include public interest, vital interest); or
- the personal data have been unlawfully processed (probably without the consent of the Data Subject or processed beyond the consent obtained); or
- the personal data must be erased for compliance with a legal obligation in Nigeria.
A critical issue to consider in implementing the right to be forgotten is the cross border nature of the internet. In the popular case of Google v CNIL, the European Court of Justice held that there was no obligation under the European Union (EU) law for Google to apply the European right to be forgotten, globally. The decision clarifies that while EU residents have a right to be forgotten flowing from the GDPR, its territorial limitation is only applicable to the EU states. The Court further held that the right to protection of personal data is not an absolute right but must be considered in relation to the function in society and be balanced against other fundamental rights.
It is anticipated that the Nigerian Courts might lean towards the territorial limitation of this right on the basis of sovereignty which recognises the full right and power of a nation to exercise its territorial independence without any interference from another nation.
Additionally, in some instances, the concept of total erasure of the information may be unattainable. A quick understudy of some of the decisions of the Belgian Court of Cassation reveals this. For instance in 2016, the Court ordered a newspaper to anonymise an online version of its 1994 newspaper article concerning a fatal road traffic accident that the applicant had caused through drunk driving. Since the complainant had spent his conviction, the court upheld his right to be forgotten on the condition that the event actually occurred and the report per se is justifiable. The court while giving its decision stated that where total erasure may not be achieved in the circumstance, suppression of the personal data may be a suitable alternative.
The alternative to total erasure could be data minimisation techniques such as anonymization, encryption and pseudonymisation. Even though this has been argued by many as being a sound approach, it appears to be totally unattainable where the reports are contained in texts or history books that have been published and sold to the general public. Nonetheless, the nature of the document will dictate the most efficient erasure technique. Furthermore, where the right to erasure is not achievable, it is our opinion that a combination of the data minimisation principle may be an effective measure to reach similar goals (privacy).
The rationale behind the right to be forgotten is that it is the interest of all of humanity that people are not adversely judged and/or punished as a result of some old infraction that does not represent their extant interests. With this right, Data Subjects will be confident that there are regulations to their online presence, slanderous or embarrassing statement can be removed from the public view and every individual can have the privacy they desire.
As application of the right to be forgotten is novel in Nigeria, a lot of trainings will be required for judges to understand the principles of the NDPR and the rights of Data Subjects.
Furthermore, organizations should employ the use of a disposal schedule. This will serve as a guide for determining how and when personal data is to be destroyed and it will promote the effectiveness of Data Subject’s Right to be forgotten.
Florence Bola-Balogun and Opeyemi Adeleke are associates of the firm.