The UE Commission approved the Regulation 679/2016 which shall enter in force on May 25th 2018. The article 17 of this Regulation introduces formally the “right to be forgotten”.
This right has been recognised as a fundamental principle in order to control personal data and information when they are popularized in the “internet world”. However, the right to be erased is not a brand new concept.
The Directive 95/46 guarantees that personal data cannot be kept over the period necessary for the purpose for which the data were collected and, moreover, that the data subject has the right to ask for rectification and erasure.
Because of these principles, the abovementioned Directive recognise implicitly the right to be forgotten. Therefore, the technological development and the necessity to protect people’s privacy led judges to interpret the current legislation in order to strength personal data security.
The first relevant judicial recognition of the right to be forgotten is represented by the ruling of Court of Justice (C-131/12) also known as “Google Spain”. The Court found that the mere economic interest could not justify an excessive and unnecessary usage of people’s personal data, especially when it implies an interference with the life of the data subject. The latter has the right to request the removal of all links with personal information about him and the data controller is obliged to proceeds, unless there is a public interest in having access to that information. In fact, the right to be forgotten is not absolute but it must to be balanced against other fundamental right, such as public interest or the freedom of expression.
The abovementioned ruling established a general principle which was acknowledge and formalised by the UE Commission in the Regulation. In particular, pursuant to article 17 the controller is obliged to erase, without undue delay, personal data concerning the data subject, for example, when the latter withdraw his consent or when data are no longer necessary in relation to purpose for which they were collected.
In erasing personal information the controller shall use all the available technology needed to achieve this result and, at the same time, inform other “controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”. The purpose of this article is to provide a widespread protection to the data subject, in order to simplify the erasure of his personal data from the web. However, following the principles roughed out by the Court of Justice, article 17 provided that the request of the data subject could not be performed, for example, if the information is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation or for reason of public interest.
Analysing the Regulation it is possible to understand the purpose of UE Commission: providing a concrete and tangible protection to personal data especially when their usage is no longer necessary or allowed by the data subject. Nevertheless, considering how news and information easily spread on internet we should ask to ourselves how this protection shall be effectively enforced.