The Right to be Forgotten
The right to start a new life free from the faults and mistakes of the past, if you have sinned at some time and were punished or regretted and changed your mind and behavior, do you have the right to erase that past with its mistakes, or should it stick to you wherever you move?, In the world of cyberspace, everything is archived and traceable, everything you write on social media, everything people write about you on websites, your criminal and health status, everything now includes data and information, whether personal or sensitive, and here a new right appears, the right to erase, the right to be forgotten.
Two scenarios you need to know first
- A politician who ran for parliament. He has a bad past. He harassed a woman three years ago and was convicted. Newspapers wrote about him and the case. He now wants to appear to voters in a new and different appearance. He is trying to communicate with websites to erase what was written about him. Does he have that right?.
- A successful man works in a Big company, competitors in other companies want to tarnish his image, and offend his reputation, so they paid bribes to different websites to write about him many things that are not true, suddenly when he searched his name in Google — for example — he found many things It offends him and is not a true. The question here is: Does he have the right to erase?.
Legally, let’s discover the right to be forgotten
I told these two stories just to know the issue fully. Does everyone have the right to erasure without exception, or are there special cases? Let’s discuss the right to erasure from the point of view of Egyptian law, international laws and treaties, and even the concept of the right to erasure in general, as well as let us list the topic from Technical point of view, first of all, what is the definition of the right to be forgotten?.
We are talking about a person who has the right or doesn’t have the right to erase his personal data, so we should first define the person who has the data according to the Egyptian law and international and European laws, In the Personal Data Protection Act- in the Egyptian Law — in Article 1 , he is the person to whom electronically processed data is attributed to him legally and can be distinguished through it, but in General Data Protection Regulation ( GDPR ) In Article 4, the data subject is A person who can be identified, directly or indirectly, by reference to the ID or any physiological, psychological, mental or social factors.
Also in the French law (Article 2) of the Informatics and Freedoms Act, it is also clarified that the is the person whose data is the subject of processing, And now we will talk about the rights of the data subject, there are many rights, of which certainly the right that we are talking about, the right to erase or the right to be forgotten.
The Right to be forgetten
The data subject has Many rights, the right to know, obtain and access personal data, the right to withdraw consent to keep or process the data, the right to correct and modify the data, and certainly the right to erase the data or the right to be forgotten, We will discuss in detail the idea of the right to be forgotten or the right to erase personal data, from a legal or technical perspective.
It is not easy to erase the information in the memory of the Internet, it is a huge and complex network, it collects users’ activities, comments, photos, news, and data, and stores and retains it for an unlimited period, this data is available anywhere in the world and can be accessed any time, this information may be incorrect and yet it remains available to everyone.
This has become a problem for the data subject, a violation of his privacy, in some cases he has the right to erase his data, the right to be forgotten, this old or incorrect information should not remain available, and here the law, whether Egyptian, European or international — in general- began to discuss this right, this right is intended to completely delete any data with the processor, controller or holder when canceling the service or leaving the application and not keeping copies of it for any reason, including removing links from social Media websites or search engines, etc.
This right has received great attention in Europe, especially after the ruling of the European Court of Justice issued on May 13, 2014 no. C-131/12 against the search engine “Google”, The European legislator recognized the necessity of establishing the right to be forgotten and stipulated in Article 17 of The General Data Protection Regulation ( GDPR ), the right of the data subject to request from the controller or processor to erase his data.
The Egyptian legislator did not specify the cases in which the right to erase or forget can be applied, but the European legislator paid attention to this and specified the cases in Article 17 of the General Data Protection Regulation ( GDPR ), The data is no longer necessary to achieve the purposes for which it was collected, or the user withdraws his consent in accordance According to Articles 6 and 9, Or the data subject’s objection to the processing in the event that such processing is not necessary.
The right to be forgotten is related to electronic artifacts, digital memories, data and information about a person, including their activity on social media, search engines, forums and websites, which also includes their opinions and ideas that they share on the Internet.
Google is a clear case
On May 13, 2014, a judgment was issued by the European Court, in the case of the famous case of Mario Costega against Google Spain and the Google located in the United States of America, which contains Removing search results related to personal data when they are inaccurate or outdated, even if the content is True and legally published as long as one wishes to forget it.
The Court based its decision on the provisions contained in European Directive 95/46 Regulating the Protection of the Processing and Transfer of Personal Data, as well as the European Convention Human Rights Issued in 1950, Here, Google has included in its policy in the Transparency Report, users’ announcements to its engine under the influence of the European privacy Act in the search engine, Google, and requests to delete content in according to the same Act, as well as requests to delete URLs from Google search to preserve privacy.
The legality of keeping the personal data
The legality of keeping personal data depends either on the consent of the person concerned or the approval of the National Committee for the Protection of Information Freedoms, which prohibits the processing of some personal data stipulated in Article 8 related to sensitive data such as ethnic or sexual origin, political or religious affiliation, or others, and Article 9 related to crimes and convictions and security measures, and Article 10 dealing with processing judicial decisions.
The legislator has also made exceptions in which personal data can be processed without referring to the person concerned in Article VII with regard to the person’s consent, and Article 25 regarding the exception to obtaining permission from the National Committee for the Protection of Information Freedoms, such as the public interest of the state and treatments related to the statistical, health or medical fields or research and historical studies.
In France, the French Court of Cassation issued on November 19, 2014, rejecting the appeal of a person requesting annulment of his baptism, as he declared that he did not belong to the Catholic Church, His request was based on the fact that dealing with this data constitutes a violation of Article 8 of the Information Freedoms Law, which prohibits the processing of data of a religious nature. The Court held that baptism is a fact of an unquestionable historical nature.
French laws also stipulate that data retention by the processor or controller is for a certain period of time and not for a lifetime, so erasing this data is considered a natural result that will take place once the reason for processing is completed or finished.
Here, the policy of those in charge of data processing differs, both in terms of the purpose of this processing or even the length of time, for example, Twitter assures users that the period of data retention after deleting the account is 30 days, while Facebook specifies 90 days as a period of time to retain users’ data after deleting their accounts.
But the French legislator has also set some time periods for retaining data regarding medical records, for example, as well as keeping data related to employee salaries and others. Here, he found the need to specify a period to keep this data and not leave it open.
Each user should be aware that his personal data, whether his account is closed, suspended, or the user dies, will remain in backup copies with the service provider for an unknown period of time. The service provider bases its justification on retaining personal data in such cases on two things, the first: if the account has suspended, the user may reverse his decision and reactivate it again, and the same is the case if he terminates the service, his saved data facilitates for him and the service provider also to refer to it easily. If the data has deleted, account closure, or user death, the service provider justifies keeping the data by having contracts with advertising agencies and also contracts with technical developers to improve the service provided, and this is not commensurate with the immediate deletion of user data, as well as Justified by keeping considerations related to the security of users Safety and security to reduce cybercrime.
Technically, let’s discover the right to be forgotten
In open source systems on the Internet such as social Media — for example — anyone can obtain copies of the available data and store it in any external place, these copies cannot be sure of how many copies or where is their location and therefore it is also difficult — technically — to ensure it will be erased, Therefore, imposing the right to be forgotten — from my point of view — is difficult in an open-source global system.
But perhaps in closed source systems, this right — the right to be erased or forgotten — is feasible and useful because it is possible for these systems to control and control the data, unlike open source systems.
What about screenshots?
Hana posted some of her data and information on a website, Ahmed saw this data on his computer while scrolling, and took a screenshot of this data — technically this act cannot be controlled or stopped — Hana tried to use her right to be forgotten or erased, and the company — the website — has already deleted her data from Their servers, but this does not prevent Ahmed from re-publishing this data, and thus Hana’s data is not technically protected.
Therefore, closed source systems can be trusted more than open source systems, where data processing in closed source systems — internally — is limited and can be controlled, and here the implementation of the right to be forgotten becomes possible, but it may not be without challenges as well, but certainly not like open source systems.
The process of deleting data from servers and backups carried out by controllers and processors requires — complex technical matters — and large financial costs to carry out, and this is a major challenge to the implementation of the right to be forgotten.
Some companies are trying to find digital and technical solutions — to protect intellectual property rights, for example — and these technologies may also help protect the right to be forgotten, for example, some technologies have been found that disable taking a screenshot while viewing images, and we all know that this is useful.
we have to care about the data stored on discarded storages like magnetic and flash desk in smartphones, desktop computers and laptops, Regardless of whether private data is processed in an open source systems or closed source systems, because of deleting the files on these devices is not enough to prevent the third parties from recovering this data, and there are many widely available tools, In order to meet this challenge, I believe — in my personal opinion — that these external storage devices must be physically destroyed.
There is also a problem in dealing with sensitive data, there is certainly a difference between personal — normal — and sensitive personal data, which must — in my opinion — a specific time date for companies — meaning an expiration date — where companies must erase and dispose of this data by the end of this date.
The Unwanted collection
There are available techniques that prevent unwanted data collection, for example, the Robot.txt file that prevents Google’s algorithms — or any search engine- from crawling websites and indexing their internal pages. This file is created by website developers or even webmasters or search engine optimization specialists. This is a good tool, but Raising awareness for the user is also necessary and required, as he should not share his data like this on websites and social media, so that he does not regret it afterwards.
In the end, the right to be forgotten is an asset of human rights. He has the right not to publish his data and information on the Internet and in front of everyone like this without his desire to do so. Websites and social media should respect users more than that, to get rid of all data as soon as possible. The user requests this. On the other hand, there are many technical challenges to achieve this, and it requires cooperation from everyone, the law, companies, users and technicians, and raising awareness among users is more important than everything because they are the first and last decision-makers.
And the laws, whether in Egypt or in Europe, and international treaties guarantee the right to be forgotten as well, so when we look at this right we have to pay attention to the whole picture, and not try to rush, I think that achieving and implementing this right in full requires more time.
This right must also be managed well so that it is exploited in the processes of improving reputation or re-imaging and writing the history of certain people, such as deleting some aspects — which may be bad — in their lives, and here it has become related to historical facts that should not be erased, so the matter is somewhat controversial. It has many details.