I. The Belgian DPA's "Google Belgium" Decision
On July 14th, 2020 The Belgian Data Protection Authority ("the Belgian DPA") fined Google Belgium 600,000 Euro for failing to respect a citizen's right to be forgotten after Google refused deleting the calumnious, out dated search results linked to his name.
The results about the complainant -who has a role in public life- he wanted to get dereferenced were about some castaway political labelling, and a complaint of harassment against him which was declared unfounded many years ago. However, Google decided to not to delete any of the results and received the highest fine ever imposed by the Belgian DPA.
Given the complainant's role in public life, the Belgian DPA stated that the maintenance of the referencing was necessary in the public interest. On the contrary, the Belgian DPA found that since the mentioned search results are old and irrelevant and are likely to damage the complainant's reputation, the right to be forgotten of the concerned person should have been considered by Google.
Although Google argued that the complaint cannot be well-founded because it is brought against Google Belgium while the controller is not Google's Belgian subsidiary, but is Google LLC, based in California; the Belgian DPA did not accept this argument since the activities of Google Belgium and Google LLC are inextricably linked and, consequently, the Belgian subsidiary may be held liable. The Belgian DPA also stated that it is crucial to ensure full and effective protection of the GDPR, as it is not easy for a national authority in Europe to exercise effective control and impose sanctions on a company located in the United States.
As a result, the Belgian DPA imposed a fine of 600,000 Euro on Google for failing to dereference the pages which report the outdated complaint against the complainant, for the lack of information provided to the complainant to justify the refusal to dereference the pages, and for the lack of transparency in the dereferencing form proposed by Google.
II. What is the "Right to be Forgotten"?
The right to be forgotten reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them; leads to allow individuals to have information, videos, or photographs about themselves deleted from certain Internet records so that they cannot be found by search engines, in other words the right to silence on past events in life that are no longer occurring.
In Article 12 of the Directive 95/46/EC the EU gave a legal base to internet protection for individuals. Later in 2012, Proposal for a Regulation of the European Parliament and of the Council Article 17 detailed the "right to be forgotten and to erasure". According to the legislation, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where several particular grounds applies, such as;
- If the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- If the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- If the data subject objects to the processing pursuant to "Right to Object" stated in Article 21 of GDPR,
- If the personal data have been unlawfully processed;
- If the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- If the personal data of children have been collected in relation to the offer of information society services.
Considering the application of the legislation, the decision will help setting better standards to protect online privacy in collaboration with the other EU member states, which requires concrete actions against global players. The decision strengthens the development of the data protection culture in Europe, in addition to many other decisions made by the national data protection authorities and the rulings of the European Court of Justice.
III. "Right to be Forgotten" in Turkish Data Protection Applications
On July 17th, 2020, the Turkish Data Protection Authority ("the Turkish DPA") issued a public announcement on dereference requests of data subjects who want their personal data get deleted from search results on the search engines, determining the examination criteria of the dereference requests due to the right to be forgotten. We may express that, the criteria are similar to GDPR and the EU application, and are well-studied in the light of previous related European Court of Justice rulings, such as Google Spain Decision1.
Although the right to be forgotten has not been legislated in Turkish Law, the Turkish DPA accurately reached the issue from the "Privacy of Private Life" perspective under the 20th Article of the Turkish Constitution, and the related provisions2 of Turkish Law No. 6698 on Protection of Personal Data ("Law No.6698").
Article 20th of the Constitution states that, everyone has the right to demand respect for his/her private and family life and privacy of private or family life shall not be violated; everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives.
Given the legal provisions, the right to be forgotten is supported by some legal precedents in Turkish Law. The Turkish Supreme Court Assembly of Civil Chambers used the term "right to be forgotten" in its decision3 in 2015, directly referring to a decision of the European Court of Justice and defined the term as "the right to request deletion and preventing spread of personal data, forgetting the negative incidents of the past out of the digital memory; as long as there is no superior public interest."
Additionally, in 2016 The Turkish Constitutional Court made a decision stated that: "...As of the date of application, it is clear that the search results in question which damages the reputation of the complainant are related to an incident about fourteen years ago and thus became outdated. There is no reason that makes it necessary to access the complainant's data easily on the internet, who does not have a political or media personality in terms of public interest, and the data undermines."
In the light of above, the Turkish DPA executes the right to be forgotten and shows the future complainant's how their applications will be examined. It is stated that each case will be considered in terms of its specific characteristic by balancing it with the right to freedom of speech, but it's likely to accept the dereference requests in case of;
- if the data subject has no public role and there is no public interest to spread the information. Even that a person has a public role if the information is related to the data subject's private life;
- if the data subject is underage;
- if the data is false and/or misleading;
- if the data discloses excessive details about data subject's working life and whether the data subject is still holding the same job;
- if the data constitutes bias against the data subject;
- If the data poses a risk against data subject such as identity theft;
- if the personal data is sensitive nature,
- if the data is outdated;
- If the information is published by the person's explicit consent but later not considered when the person has changed his/her decision regarding it;
- if there is no legal obligation to publish the personal data;
- if the personal data is related to a relatively small crime commited long time ago;
- if the personal data cannot be considered as a product of free journalism under the right to freedom of press as well as the right to freedom of speech and the right to demand protection of honor and reputation.
An individual who wants the search results about oneself to get deleted from the search engines may also make this request to the national courts. We would like to point out that the Turkish DPA particularly guides individuals to apply courts if the information reached by the search result is insulting, slanderous or deragotory.
We believe that the mentioned announcement and guidelines by the Turkish DPA will enlighten the way of the judicial decisions and will help individuals to know how likely are their requests to be accepted before applying.
1. Court of Justice of the European Union Decision Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González.
2. Turkish Law No. 6698 Article 4, 7 and 11.
3. The Turkish Supreme Court Assembly of Civil Chambers, Decision Numbered 2014/56 E., 2015/1679 K, Dated 17.6.2015
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.