The Internet is reputed to have a memory and it is not quick to forget. Every online action is committed to a digital record and stored online to be accessed at any moment.1 In recent times, due to the invasive nature of the Internet, arguments have been made that Data Subjects (persons whose data/information are being used) should be allowed to enjoy their privacy and be entitled to the right to be forgotten. This right has to be considered vis-à-vis public interest and the economic right of the publisher of the information. For example, if there is valuable information on the Prince of Wales that is published online, can the Prince of Wales, as the Data Subject, exercise his right to be forgotten and demand that the news item be deleted?
This article will explore the right to be forgotten, how it can be exercised and what has to be taken into consideration by the courts in different situations.
The right to be forgotten has its origin from the case of Google Spain SL, Google Inc v. Agencia Española de Protección de Datos, Mario Costeja González (2014)2 and was subsequently codified in the European Union General Data Protection Regulations ("GDPR").3 In this landmark case, Mr Costeja González, a Spanish national resident in Spain, lodged a complaint before the European Court of Justice ("the CJEU") against two national dailies, Google Spain and Google Inc. He complained that upon entry of his name in the search engine of the Google group ("Google Search"), the information associated with his name was a real-estate auction connected with attachment proceedings for the recovery of social security debts. He contended that the attachment proceedings had been fully resolved for a number of years and that reference to them was now entirely irrelevant. He, therefore, demanded that the offensive online information should be deleted as it was inaccurate.
While delivering its ruling, the CJEU considered the privacy rights of the complainant over Google's economic interest. The court stated that the attachment proceeding was ubiquitous as it was not only accessed by Google Spain, but also by everyone through the parent body, Google Inc. Consequently, the court made its ruling in favour of Mr Gonzalez and held that the information regarding Mr. Gonzalez and the attachment proceedings should be deleted. This decision has served as a locus classicus and reference authority on the right to be forgotten.
APPLICATION OF THE RIGHT IN NIGERIA
In 2019, the Nigerian Data Protection Regulation ("NDPR") was introduced and one of its highlights is the recognition of the rights of Data Subjects including the right to be forgotten. Although there has been no case law or judicial authority in Nigeria on the right to be forgotten, the NDPR entitles a Data Subject to request the deletion of personal data. Interestingly, this right is not absolute and will only be granted in certain circumstances.
Section 3.1(9) of the NDPR provides that a Data Subject will have the right to request the deletion of his/her personal data, and the data controller is to delete the data in certain circumstances such as, where:
- the personal data is no longer necessary in relation to the purpose for which it was collected or processed. Thus where, for instance, information was collected for employment purposes and the Data Subject subsequently leaves the organisation, the ex-employee can request that certain information regarding his employment, that is no longer necessary, be deleted; or
- the Data Subject withdraws consent on which the processing is based (for instance, websites now have cookies where you can click consent or untick the consent box); or
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing (overriding legitimate grounds could include public interest, vital interest); or
- the personal data have been unlawfully processed (probably without the consent of the Data Subject or processed beyond the consent obtained); or
- the personal data must be erased for compliance with a legal obligation in Nigeria.
A critical issue to consider in implementing the right to be forgotten is the cross border nature of the Internet. In the popular case of Google v CNIL4 the CJEU held that there was no obligation under the European Union (EU) law for Google to apply the European right to be forgotten globally. The decision clarifies that while EU residents have a right to be forgotten flowing from the GDPR, its territorial limitation is only applicable to the EU states. The CJEU further held that the right to protection of personal data is not an absolute right but must be considered in relation to the function in society and be balanced against other fundamental rights.
It is anticipated that the Nigerian Courts might lean towards the territorial limitation of this right on the basis of sovereignty which recognises the full right and power of a nation to exercise its territorial independence without any interference from another nation.
Additionally, in some instances, the concept of total erasure of the information may be unattainable. A quick understudy of some of the decisions of the Belgian Court of Cassation ("BCC") reveals this.5 For instance in 2016, the BCC ordered a newspaper to anonymise an online version of its 1994 newspaper article concerning a fatal road traffic accident that the applicant had caused through drunk driving. Since the complainant had spent his conviction, the BCC upheld his right to be forgotten on the condition that the event actually occurred and the report per se is justifiable. The BCC while giving its decision, stated that where total erasure may not be achieved in the circumstance, suppression of the personal data may be a suitable alternative.
The alternative to total erasure could be data minimisation techniques such as anonymisation6, encryption7 and pseudonymisation8. Even though this has been argued by many as being a sound approach, it appears to be totally unattainable where the reports are contained in texts or history books that have been published and sold to the general public. Nonetheless, the nature of the document will dictate the most efficient erasure technique. Furthermore, where the right to erasure is not achievable, it is our opinion that a combination of the data minimisation principle may be an effective measure to reach similar goals (privacy).
The rationale behind the right to be forgotten is that it is the interest of all of humanity that people are not adversely judged and/or punished as a result of some old infraction that does not represent their extant interests.9 With this right, Data Subjects will be confident that there are regulations to their online presence, slanderous or embarrassing statement can be removed from the public view and every individual can have the privacy they desire.
As application of the right to be forgotten is novel in Nigeria, a lot of trainings will be required for judges to understand the principles of the NDPR and the rights of Data Subjects. Furthermore, organisations should employ the use of a disposal schedule.10 This will serve as a guide for determining how and when personal data is to be destroyed and it will promote the effectiveness of Data Subject's right to be forgotten.
1. Sophie Perryer, The internet never forgets, but people do, The New Economy - https://www.theneweconomy.com/technology/the-internet-never-forgets-but-people-do accessed on 4 March, 2020
2. Available on the EUR-Lex website at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131#t-ECR_62012CJ0131_EN_01-E0001 and accessed on 4 March 2020
3. Intersoft consulting, available at https://gdpr-info.eu/issues/right-to-be-forgotten/ and accessed on 4 March 2020
4. Available on the curia.europa.eu website at http://curia.europa.eu/juris/document/document_print.jsf;jsessionid=FF2068A68B302A60C12B4191B752D64D?docid=218105&text=&dir=&doclang=EN∂=1&occ=first&mode=DOC&pageIndex=0&cid=1704403 and accessed on 4 March 2020
5. Case Law, Belgium: Olivier G v Le Soir: "Right to be forgotten" requires anonymisation of online newspaper archive' Olivier G v. Le Soir (29 April 2016, n° C 15 0052 F) accessed via http://private-law-theory.org/?p=9441 on 27 March, 2020.
6. Anonymisation means processing data with the aim of irreversibly preventing the identification of the individual to whom it relates. It is the most secure and is intended for information that should never be converted or shown to users.
7. For the implementation of encryption, an encoding algorithm can be used to turn into unreadable data all the information submitted. Thus, the encrypted information will appear as a sequence of meaningless characters.
8. Pseudonymisation is implemented when a series of sensitive information is linked not directly to the name, surname, social security number or email address, but to a secret code (pseudonym).
9. Joseph Steinberg, Why Americans Need and Deserve the Right to be forgotten, accessed via inc.com/joseph-steinberg/why-americans-need-deserve-right-to-be-forgotten.html on 2 April 2020.
10. A disposal schedule sets out the minimum amount of time specific types of records must be kept in accordance with legal obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.