THE RIGHT TO BE FORGOTTEN
As relatively unpopular as it may appear, the Right to be Forgotten is a serious concept. Countries like Russia and South Korea have submitted thousands of data removal requests to Google.
The right to be forgotten is the right of a data subject to have their personal data obliterated or suppressed from the internet. Suppressed because, in some situations, a total erasure of personal information from the internet may be unachievable. In balancing the right of freedom of expression and the right of the public to information with the right of the data subject to private life, the court can make an order for anonymisation of the information, but not for deletion of the information as it relates to the Data subject. Hence, fictitious names can be used to replace the names of the data subjects while the information is still retained. See the case of Olivier G v. Le Soir (29 April 2016, n° C.15.0052.F.
The Right to Be Forgotten, also known as the Right to erasure, is a right founded on case law. It evolved from the decision of the European Union Court of Justice in Google Inc. v. Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez (2014). In this case, Mr. Gonzalez filed a complaint before the European Union Court of Justice against Google Spain, Google Inc. and two Spanish newspapers. He complained that an entry of his name on the Google search engine revealed information concerning a confiscation order for his house in connection with an attachment proceeding. Mr. Gonzalez was essentially requesting that the data be erased from the internet, being a matter that had long been resolved, and as such, having the information remain on the internet was considered irrelevant. Interestingly, the court decided in favour of Mr. Gonzalez and ordered that the information concerning the attachment proceedings be deleted. This unprecedented decision of the European Court of Justice would later find its way in the form of a statutory provision as it became codified in Article 17 of the European Union General Data Protection Regulation. This decision held by the European Court of Justice has birthed what is now known today as the Right to be Forgotten or the Right to Erasure.
THE CONCEPT OF THE RIGHT TO BE FORGOTTEN IN NIGERIA
The Right to be Forgotten is connected to the Right to Privacy. It may be considered a subset of the right to privacy. A man who seeks to have a certain part of his life expunged from the internet is essentially seeking the need to keep that part of his life away from the public glare.
Since the Right to be Forgotten cannot be divorced from the Right to Privacy, reference shall be made to the Constitution of the Federal Republic of Nigeria, 1999 (as amended).
Section 37 of the 1999 Constitution provides that: “the privacy of citizens, their homes and correspondences and telegraphic communications is hereby guaranteed and protected”. Although the Constitution does not specifically mention the Right to be Forgotten under Section 37, it is arguable that by the use of the phrases “privacy of citizens”, and “is hereby guaranteed and protected”, a citizen can seek to have certain aspects of their life remain private and not to be brought to the public. After all, the Supreme Court has held in M.D.P.D.T v. Okonkwo [2001] 7 NWLR that:
“The sum total of the rights to privacy and of freedom of thought, conscience or religion which an individual has, put in a nutshell, is that an individual should be left alone to choose a course for his life, unless a clear and compelling overriding state interest justifies the contrary.”
If the position of the Honourable Court is anything to go by, it would mean that an individual should be left alone to choose a course for their life (including the right to have information about themself non-public) so long as there is no overriding state interest justifying the contrary.
THE NIGERIAN DATA PROTECTION ACT, 2023
Section 34(1)(c) of The Nigeria Data Protection Act, 2023 vests on a data subject the right to obtain from a data controller, without constraints or unreasonable delay, the correction or if correction is not feasible, deletion of the data subject’s personal data that is inaccurate, out of date, incomplete or misleading.
By virtue of Section 34(1)(d) of the Act, a data subject has the right to obtain from the data controller the erasure of personal data concerning them.
THE NIGERIA DATA PROTECTION REGULATION (NDPR), 2019
The National Information and Technology Development Agency is a federal agency created in 2001 to implement the Nigerian Information Technology Policy and coordinate general IT development in the country.
Section 6 of the National Information and Technology Development Agency Act of 2007 vests power in the agency to make regulations. It is in line with the exercise of its powers provided in Section 6 of the National Information and Technology Development Agency Act, 2007, that the National Information and Technology Development Agency issued the Nigeria Data Protection Regulations (NDPR) of 2019.
The NDPR contains provisions addressing the Right to be forgotten. Under the NDPR, a data subject may request the deletion of their personal data if:
- The personal data are no longer necessary for the purpose for which they were collected or processed.
- The data subject withdraws consent on which the processing is based.
- The data subject objects to the processing, and there are no overriding legitimate grounds for the processing.
- The personal data has been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in Nigeria.
TERRITORIAL SCOPE OF THE RIGHT TO BE FORGOTTEN
On the 24th of September 2019, judgment was given in Google Inc. v. Commission nationale de l’informatique et des libertes (CNIL) case C-507/17 defining the territorial nature of the Right to be Forgotten under European law.
It was the decision of the Court that under European law, there is no obligation on Google, and other search engines to apply the European right to be forgotten globally.
By the decision of the court in that case, EU residents could not enforce their right to be forgotten globally, i.e. an EU resident can only demand that information relating to them be deleted or erased from internet searches conducted within the European union.
By the inference of the court decision in the CNIL case, it remains to be asked whether a domestic court can order search engine operators to erase personal data relating to a data subject from various versions of their search engine? To ask the question more clearly, can a High Court sitting in Lagos State order Google to remove data relating to a data subject from all versions of its search engines, e.g Google Nigeria, Google Spain, Google South Africa, etc.?
The decision in CNIL case underscores the limitations of the data protection laws in compelling a global removal of personal data of a data subject from all versions of search engine results.
THE INTERESTING CASE OF GOOGLE INC. V. COMMISSION NATIONALE DE L’INFORMATIQUE ET DES LIBERTES (CNIL) CASE C-507/17
CNIL, a French Data Processing Authority (DPA), had given notice to Google to remove links relating to the data of a data subject from all versions of its search engine worldwide. Google instead limited the removal to only search results conducted using versions of its search engines within the EU and EFTA. Google also adopted the geo-blocking strategy to prevent the links from appearing in searches made in France, notwithstanding the version of the search engine used. The CNIL imposed a fine on Google, faulting it for non-compliance with the directive to delist.
CNIL argued that for the right to be forgotten/right of erasure/ right of removal to be effective, Google is required to de-list links globally. Although Google had made efforts at delisting links relating to the data from all EU and EFTA extensions and from all searches conducted within the French territory, CNIL argued that internet users (netizens) located in France could still access other versions outside the European Union (e.g Google.com). It further argued that limiting the removal of links about an individual living in France to the French version (google.fr) or other versions in other EU member states is not an adequate step in protecting the individual’s right.
Google argued that the right to be forgotten does not necessarily translate to the removal of data without geographic limitation. The right of a EU Citizen to be forgotten does not automatically mean that the data be erased from all its search engines’ domain names. Google also raised an argument on sovereignty, Google’s argument was to the effect that the right of a data subject to the removal of their data, if exercised without geographic limitation would be a disregard to public international law’s principles of “courtesy and non-interference, and the disproportionate infringement of the freedoms of expression, information, communication and the press.
The court considered whether the EU data protection law on de-listing/ de-referencing should be interpreted to mean a search engine operator is required to remove links relating to a data subject worldwide or within the EU, or only at the national level (within a member state).
The court held that search engine operators are not required under EU law to remove links on all versions of their search engines worldwide.
The implication of the decision of the court in CNIL’s case as it relates to the territorial limitation of the Right to Be Forgotten is that if a data subject residing in an EU member state seeks to have their personal data removed from the internet, the link to their data can still be accessed by anyone outside the European Union or anyone in the European Union using a non-EU Search engine domain absent effective measure, such as geo-blocking, to prevent it. Hence, Google is not under an obligation to de-list the personal data of an EU data subject from non-EU domains such as google.com (.ca, au)
The challenge with the territorial limitation of the Right to Be Forgotten is that, notwithstanding a court order compelling a search engine to dereference information about a data subject from the internet and local search engines, such personal data of the data subject can still be accessed in other spaces. For example, if a Nigerian Court compells Google to delist personal information about a Nigerian data subject from its local Nigerian web pages such that it becomes in-accessible by Nigeria- Internet Users, through Virtual Private network (VPN), a person living in Nigeria can still access the de-referenced information notwithstanding Google’s compliance with the court order.
The fact that an internet user who conducts search outside the territory of a data subject can still have access to the personal information of a data subject is an indicator of a strong need for an expansion of the territorial nature of the right to be forgotten thereby making it universally enforceable.
CONFLICT BETWEEN THE RIGHT TO BE FORGOTTEN AND OTHER RIGHTS
Situations would arise where there is a conflict between the right of an individual to be forgotten and the right of a data controller to freedom of expression, and the right of the public to receive information. How does the law strike a balance between these competing rights?
Embedded in the right to freedom of expression is also the right to receive and impart information.
The facts and circumstances may determine which right the court will uphold upon weighing the rights and determining which is more compelling.
The Constitution of the Federal Republic of Nigeria does not rank any of these rights higher than the other, hence the Court in making a decision when there is a conflict between a data subject’s right to be forgotten, ( a subset of the right to privacy) and the right of the general public to receive information.
This article raises a hypothetical question- if a former pornography actor approaches the Court seeking an order that information containing her previously acted pornographic scenes be completely deleted from the internet, claiming the thought of those pornographic scenes gets her depressed and affects her mental health, what would the court, faced with such scenario, do? Will the Court, in making its decision factor acknowledge there is a right to erasure and also the economic rights of the producers in a movie that has gained millions of online views and is generating revenue, particularly when the Claimant foresaw the reasonable outcome and gave consent to acting in the pornographic scenes?
Certain information may also serve journalistic purposes and as such there may be a very compelling need to retain the information. The station a person fills in life may also determine the relevance of their information online. Information relating to the past crime history of an ex-convict may be deemed relevant for official purposes and historical references. Certain information relating to a political figure may also be deemed relevant to the public as opposed to information about a random university student who is not well-known.
To settle instances where there may be conflict between the right of a data subject to erasure and the right of the public to information, this Writer suggests the Courts leaning towards the Utilitarian Theory, evaluating both rights and making a decision that will produce the best overall results in terms of consequence.
CONCLUSION
In a world where data can be exploited and transported to places where the data subject could never have imagined, the right to be forgotten is a very useful safeguard in ensuring that the rights of data subjects are protected.
Regardless of how noble the concept of this right is, there is a limit to its effectiveness when personal data of a data subject has been replicated into various physical forms, such as books, video cassettes, thereby making it difficult to track for destruction.
