The Right to Be Forgotten
In May 2014, the Court of Justice of the European Union allowed the removal of the links to articles published online by newspaper La Vanguardia, detailing a real estate auction, from results pulled up by Google. This order was done at the instance of the subject of the articles, one Costeja Gonzáles, who claimed that the debts related to the auction were not his and were already satisfied, rendering the articles inaccurate and already irrelevant.
With this decision, a right referred to as “the right to be forgotten” was effectively thrust into widespread recognition. Private individuals now had the option to request the deletion of links related to them if the content is considered inadequate, irrelevant, or excessive. Ever since the Google v. Costeja Gonzáles decision, Google’s Transparency Report stated that there have been 656,101 requests for the removal of links from search results.
It is important to note, however, that the right to be forgotten originated from the 1995 European Community Directive on Data Protection, which mandates member-states of the European Union (EU) to legislate on the lawful handling of personal data. The right, which allows for the compelled removal of personal data from online databases, is based on the need of an individual to “determine the development of his life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.” Among such member-states, the right is articulated in various ways: for example, in France, it is unlawful for personal data to be retained for a period longer than is suitable for the purpose of the data’s acquisition; in Germany, the right to be forgotten is considered a constitutional right; and in Finland, the right consists in restricting employers from acquiring their employees’ digital information without their consent.
Although widely recognized in the EU, the right has been met with concern and criticism because of its impact on the right to free speech and to information. The ability to cause the deletion of certain data online, as a matter of privacy, could ultimately mean the erasure of information critical to certain public discussion. Considering the expanding notion of the right to privacy worldwide, it is important to examine if the right to be forgotten can be made applicable to the Philippines. Furthermore, as the right may potentially disturb the delicate balance between privacy and free speech concerns, two constitutionally enshrined rights, it is worthwhile to examine how the right to be forgotten may be regarded by the Courts.
The Right to be Forgotten in the Philippine Context
How is privacy protected in the Philippines? In the 1987 Constitution there are two privacy rights that are explicitly enshrined: the right to security of persons, their houses, papers, and effects against unreasonable searches and seizures, as well as the right to privacy of communication and correspondence. In view of technological advancement, the right to privacy was further expanded by the promulgation of the Rule on the Writ of Habeas Data in 2008, which authorizes the deletion or rectification of erroneous data or information.
However, the Supreme Court has been stringent in the application of the privacy rights specifically on information found on the Internet. In the 2014 case of Vivares v. St. Theresa’s College, the Court ruled that there could be no expectation of privacy as regards photos posted on social media networks under a “Friends Only” setting, because the public at large may still view the photos. In the decision, the Court made the following statement: “Internet consumers ought to be aware that, by entering or uploading any kind of data or information online, they are automatically and inevitably making it permanently available online, the perpetuation of which is outside the ambit of their control.” The Court adopted a narrow approach towards the right of privacy online.
Despite this, developments in our data privacy law show that the right to be forgotten is made part of Philippine privacy protection. The Data Privacy Act (DPA) of 2012 provides for the right to suspension and blocking, allowing data subjects to order the blocking, removal, or destruction of his or her personal information from a personal information controller’s filing system.
This right may be exercised upon discovery and substantial proof of any of the following:
- That the personal data is incomplete, outdated, false, or unlawfully obtained;
- That the personal data is being used for unauthorized purposes;
- That the personal data is no longer necessary for the purposes for which they were collected; or
- That the data subject withdraws his or her consent or objects to the processing.
Apart from such right, data subjects also have the right to “dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately”. This is akin to the right of rectification present in the EU’s General Data Protection Regulation, which will replace the 1995 Directive and be enforced later this year. This corollary right allows for the correction of inaccurate data by the data subjects or for completion of incomplete data by the data controller.
Evidently, there is already a slow but steady expansion of the right to privacy in the Philippines. The Data Privacy Act already allows individuals to take charge of how their personal data is processed through the right to erasure and the right to rectification. However, progress in this field is still struggling through the Courts at a slow and hesitant pace. Nevertheless, there is room to grow. The right to be forgotten is a pressing concern across the globe and will not be forgotten anytime soon.