Internet search engines enable us to gather all search results in one place. Anyone with the desire or interest can obtain information about a particular person that is available on the internet. Regardless of who the “searcher” of data is, the information found can impact the reputation of the individual to whom the search results refer.
It should be noted from the start that the right to be forgotten applies only within the EU and not globally. This means that when an individual requests the removal of search results, the removal applies only to versions of the search engine corresponding to all EU member states, but the search engine operator is not obliged to remove links from all versions of its search engine. It is also important to realize that the right to be forgotten is not an absolute right of the individual and is limited by other rights or obligations (e.g., freedom of expression, data retention duties, etc.).
Who and When Can Request Data Erasure?
An individual, to whom the personal data relates, can invoke the right to be forgotten with any controller processing their personal data, provided there is one of the reasons listed in Article 17(1) of the GDPR. In such cases, the controller is obliged to delete the personal data without undue delay when:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
- The individual to whom the personal data relates withdraws consent, and there is no other legal basis for processing,
- The individual objects to the processing and there are no overriding legitimate grounds for the processing,
- The personal data were processed unlawfully,
- The personal data must be erased to comply with a legal obligation under EU or member state law applicable to the controller,
- The personal data were collected in relation to the offer of information society services with the consent of a child.
In case of any of the above reasons, the controller must also inform other controllers about the individual’s request. Other controllers are then also obliged to erase personal data relating to the individual.
The right to be forgotten applies only to personal data concerning individuals. Thus, companies or legal entities do not have the right to removal of search results based on the name of the company or legal entity.
The right to be forgotten is also not an unlimited right of the individual. GDPR in Article 17(3) specifies cases where an individual cannot invoke the right to be forgotten, such as when processing is necessary:
- For exercising the right to freedom of expression and information,
- For compliance with a legal obligation under EU or member state law applicable to the controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- For reasons of public interest in the area of public health,
- For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if the right to be forgotten would likely impair or make impossible the achievement of the objectives of that processing, or
- For the establishment, exercise, or defense of legal claims.
Request for Forgetting and Appeal
An individual must directly submit the request for forgetting or erasure of personal data to the controller processing, or believed to be processing, their personal data. The controller must respond to the individual’s request without undue delay and provide a response within one month of receiving the request for forgetting or erasure.
According to Article 14(2) of the Personal Data Protection Act (ZVOP-2), the controller’s decision must include reasons for the decision and information about the right to appeal and the deadline for filing it with the supervisory authority. An individual has 15 days from being notified of the decision to file an appeal.
An individual files an appeal against a negative response with the Information Commissioner of the Republic of Slovenia within 15 days of receiving the negative decision from the controller regarding the erasure of personal data. An individual also has the option to appeal to the Information Commissioner if the controller does not respond to the request within the specified one-month period.
Google’s Right to be Forgotten
Google is the most widely used search engine worldwide. Each of us has searched the web for results related to a specific person (search by name and surname). In this case, the search engine finds all the information available on the web for a particular search request. Thus, the searcher gains access to various publications stored on the world wide web, regardless of their content.
To respect the GDPR, Google has prepared a special form in which an individual addresses the search engine operator (Google) with a request to remove certain results from Google Search for queries containing the individual’s name and surname. It should be noted that Google’s obligation to delete all data from the request is not absolute. In deciding on each individual request, the operator will review the content and balance the individual’s right to privacy and data protection with the public interest in accessing information and the right of others to disseminate information.
An individual who fills out Google’s data deletion form must specify the URLs of search results that they believe should be removed from Google Search. For each URL, the individual must clearly state the reasons why they believe and want the operator to remove it from search results. An individual can request the removal of those search results that lead to data that are inappropriate, irrelevant, excessive, or outdated. The search engine operator (Google) will judge, based on the circumstances of the case, whether the individual search results mentioned in the request fall under one of the listed reasons.
The operator will first assess the case based on the information provided by the individual in the data removal request. If the search engine operator believes additional evidence is needed to make a decision, the individual will be asked to provide further evidence, after which a final decision will be made. The search engine operator may refuse to delete data related to, for example, financial fraud, improper conduct in a professional environment, criminal convictions, or the behavior of public officials in public.
In making a decision, the operator will consider several factors that affect the (in)justification of the individual’s request for data deletion. These factors include:
- The individual’s role in public life: The operator examines whether the information is related to the individual’s public role (public figure status). The less the information relates to how the individual is known in public, the more likely the operator is to remove the results.
- Sources of information: The operator also considers the location of the web publication (e.g., a government website, a media site), which will influence their decision on (non-)deletion of data.
- Age of the content: The operator also assesses whether the information is still relevant, often related to the age of the content. It checks whether the information is still current or whether it may be outdated.
- Impact on Google users: The operator always also considers the interest of search engine users in obtaining information covered in the request.
- Truth or falsehood: In cases where an individual believes that the information is false, they must provide appropriate evidence. The operator cannot judge whether some information is true or false (e.g., does not have the ability to call witnesses).
- Sensitivity of the data: The operator considers how private or sensitive the content is (e.g., data on health status, race, sexual orientation, religious affiliation, etc.).
These are just some of the factors that the operator considers and assesses, but none of these factors is absolute. In the case of justified reasons, the search engine operator removes only those search results related to the search request of the name and surname of the individual who submitted the request. This means that the data on the web are still accessible, but perhaps under different search requests or directly via the URL address. In doing so, the operator also takes into account the territorial aspect – the search request will be removed only for Google search versions for countries bound by European data protection legislation (EU member states).