Right to be forgotten as a fundamental human right

Introduction

right to be forgotten

Recognized as the Age of Information, the increment of the scope and usage of our personal data nowadays has made the access to these data remarkably easy, which has led to an increase in situations that threaten the security of data. The place of the Internet in our lives nowadays has brought along our personal data be used and shared without our consent, and information which we prefer not to be known by anyone be easily found by people unrelated to us, through their computers and smartphones. Therefore, the necessity for the practice of law to keep up with the time has arisen, and many regulations have begun to be made regarding the protection of personal data both with international and national law regulations of the states. The value that is essentially protected with these regulations is the privacy and self-dignity of an individual, and therefore the right of the individual to exist as a respected person. However, these regulations must also be in such a way that prevents situations of conflict with other rights and freedoms such as the right to obtain information, freedom of the press, and freedom of expression. It could be said that the conflict of interest between the right to protect the personal data of the individual and the rights mentioned above has originated the right which is named as the “right to be forgotten” today.

Analysis of the Research and Publications

Being a relatively new and broad subject of law, various aspects of the right to be forgotten became a subject of examination for Courts and scientific interest for scholars such as S. Gьlener, S. Nalbantoglu, Y. Зelik, H. Elmalica. Even with the current regulations, the question of its scope and relations between associated rights still need further investigation with the purpose to understand it and make a common jurisprudence to effectively prevent the violations of the right.

Research Tasks

Human rights represent a field of law that is constantly evolving and open to improvement, and the right to be forgotten is one of the newest rights added to this field. The purpose of this article is to examine the right to be forgotten as a fundamental human right through developments occurring at the international and national legislations. To reach this aim, it is needed to perform the following tasks: to determine the context of the right to be forgotten under the relevant branches of law, to chronologically examine and analyze developments in the international and national legislation, to detect improvable points of the issue.

Research Results.The right to be forgotten is a fundamental right that emerged as the greatest and most important legal consequence of the information age. The right to be forgotten is the deletion of any personal data in the digital memory at the request of the individual or the removal of them in a way that cannot be recovered [1, p. 226]. In other words, the right to be forgotten may be summed up as the right of natural and legal persons to have their personal data in any form such as information, photographs, or documents be removed from or not be included among the results of Internet searches made under their own names and other directories, under various circumstances.

At this point, the difference between the right to be forgotten and the right to privacy should be emphasized

Although the right to be forgotten is directly related to the right to privacy and is similar in terms of the protected legal interest, they differ in terms of the subject. As a matter of fact, while personal data is protected with the right to be forgotten, the right to privacy protects individuals' privacy, hence their private lives. This issue could be explained as follows: The right to private life is a constitutionally guaranteed absolute right which takes its basis from the Article 8 of the European Convention on Human Rights (ECHR), and could be claimed against anybody. It includes the confidentiality of information related to an individual and their family and profession, and it is undesired for it to be learnt by others. Any form of breaking in and interfering within a person 's secret space constitutes a violation of privacy [2, p. 392]. With supranational documents and constitutional regulations, states are obliged to provide and protect the right to private life for every individual, and therefore, criminalized its violations. The right to be forgotten, however, protects the confidentiality of personal data as defined above, without constituting an absolute right. To define further; personal data refers to all information regarding a specific or identifiable person [3, prg. 20]. In addition to the information that is used for identification such as name, surname, place of birth and date; any kind of information which contains concrete content that expresses the physical, economic, cultural, social, or psychological identity of the person (telephone number, address, health status, criminal record, genetic information, etc.) are also considered personal data. The purpose of the right to protect personal data, which exists as a sub-view of the right to privacy, is to take the necessary measures to keep the records kept by the public or private sector safe by securing the privacy of the private life, and to protect the individuals by this means [2, p. 396]. On the other hand, personal information covered by the right to be forgotten is essentially the information which does not fall within the scope of private life under the laws. To set an example, while health records are personal data which are private to each person, criminal records are personal data that were once public, thus, do not fall within the scope of private life. Since the protection of personal data within the scope of private life is already ensured by the right to privacy, the personal data in need of additional protection under the appearance of a new right are those that are outside this scope. Therefore, it could be stated that while the right to privacy regards nonpublic information, the right to be forgotten is about information that once was open to the knowledge of third parties.

Another important matter to be considered is casesin which the right to be forgotten conflicts with rights and freedoms such as freedom of expression, freedom of the press, and the public 's right to information.The implementation of these rights must be in a way that does not let them violate each other as the balance between rights must be observed thoroughly. Freedom of expression is a globally accepted fundamental right that is protected by Constitutions, based on the Article 10 of the ECHR. Every person has the right to freely express their thoughts and convictions within the scope of freedom of expression, and the right to receive and provide information within the scope of freedom of communication. And the internet is the most common tool to fulfill the requirements of these rights. As the internet is one of the main tools for the exercise of freedom of expression and information, it has been emphasized many times in the judgments of the European Court of Human Rights that it is a complementary element of these rights, and it is only possible for a person to intervene and request deletion of the content shared by others about them if there appears a valid ground. Likewise, the freedom of the press, which can be defined as the ability to freely express news, ideas and opinions through reproductive means, should be considered within the framework of the freedom of information and principles of journalism [4, p. 586]. In the deletion of news within the scope of the right to be forgotten, it is regarded whether the news is made in accordance with the principles of journalism, reflecting the facts of the issues that are newsworthy and concern the public, without containing any unlawful elements. Since determining the right that is to be held superior between the right to be forgotten and aforementioned rights is a matter to be evaluated respectively in every concrete case, regulations were made in both international and national legislation, and case law was created in order to establish a unity in this issue and to strengthen its legal basis.

Determining the responsibilities of the data controller/data preserver for an effective and correct implementation of the right to be forgotten constitutes one of the most important issues regarding this topic. Therefore, rules of international organizations, agreements and conventions, judgments of courts, as well as national regulations, board and court decisions that are effective in determining the limits of the right to be forgotten are briefly described below.

With a review on the international studies on the right to be forgotten, the first detectable law studies about the topic werecarried out in France in 2010. The draft of law stipulates a regulation that imposes obligations on internet and telephone companies for the destruction of e-mails and telephone messages completely, at the request of the relevant person or after a reasonable period of time [5, p. 1612].

The first time that the right to be forgotten was mentioned as a right that draws attention to privacy and protection of personal data, however, was by Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, for The EU Data Protection Reform, in Munich, 22 January 2012. While introducing the term of `right to be forgotten' for the first time, Reding emphasized that it is not an absolute right, while stating that the right to be forgotten would build on already existing rules to better cope with privacy risks online, while the preparations for the reform are being completed [6].

Nevertheless, before any Regulations were made by the EU, the first case where the right to be forgotten was a subject to examination by legal authorities took its place by the Court of Justice of the European Union (CJEU),with the Judgment of Mario Costeja Gonzвlez v. Google Inc, Google Spain, in 2014. The Court has examined the case under the EU Directive (also known as the `Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data),and stated the extent of the responsibilities of the operator of a search engine and the scopes of the processing of data in regard of the Directive. The judgment states that an internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties [7]. In other words, it accepts search engines as data controllers due to their data processing activities. Moreover, CJEU puts Google Inc. in the scope of the Directive despite not being based and located in a member country, with stating that it carries out its data processing activities through Google Spain, a company that Google Inc. has established within the borders of a member country. CJEU concludes that if following a search made based on a person' s name, the list of results displays a link to a web page that contains information on that person, the person may approach the operator of the search engine (the controller) directly, and the controller shall examine the request's merits duly.

Where the operator does not grant the request, the data subject may bring the matter before the competent supervisory or judicial authorities in order to obtain the removal of that link from the list of results. To sum up, the judgment states that individuals have the right to request search engines to remove links containing their personal data from search results under the specified conditions. Following this judgment, search engines were obliged to create request forms on their websites regarding the right to be forgotten and began to examine removal requests before competent authorities, with the standards that are set with common practice.

While a common practice in the area of data controllers and Courts is being set according to the Judgment, the most important development as an international regulation, the Regulation (EU) 2016/679, referred as General Data Protection Regulation (GDPR), entered into forcein May 2016 and applies since May 2018 [8]. As stated in Art. 1, the GDPR regulates rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data, protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. Being the most comprehensive security law internationally, the GDPR elaborately defines the material and territorial scope of the Regulation, the definition of the terms included, the principles of processing personal data, the rights of the data subject, liabilities of controller and processor, as well as remedies and penalties. Despite being drafted and passed by the EU, GDPR imposes obligations onto organizations all around the globe, if they target or collect data related to people in the EU. According to Art. 4 which covers twenty-six definitions, the essentials are as follows: Personal data means any information that relates to an individual who can be directly or indirectly identified, including pseudonymous data if it's relatively easy to ID someone from it. Data processing is any action performed on data, whether automated or manual, such as collecting, recording, organizing, structuring, storing, using, erasing. Data subject is the person whose data is processed, while data controller is the person that alone or jointly determines the purposes and means of processing personal data, and data processor is the third party that processes personal data on behalf of a data controller. An important topic that should be mentioned is the consent of the data subject. Art. 7 states that the consent must be freely given, specific, informed, and unambiguous, and clearly distinguishable from the other matters, while Art. 8 specifically regulates the conditions applicable to child's consent in detail. However, the foremost importance about the GDPR is that while prior studies have made the right to be forgotten visible to public, the GDPR directly embodies the issue with its Art. 17, titled as “Right to erasure (`right to be forgotten').” Thus, GDPR becomes the first international regulation to officially name the right with its doctrinal well-known name. The Article states that the data subject shall have the right to obtain from the controller the erasure of personal data concerning themselves, and the controller shall be obligated to erase the data and apply other necessary measures if one of the conditions listed in the Article are present. Situations that require exercising the right of freedom of expression and information, purposes concerning public interest, and legal obligations are stated as exceptions for the Article's extent.

Besides the continuing international developmentsregarding the matter, the states have also taken the responsibility to go on with their own studies to regulate national laws on the issue, Republic of Turkey being one of the many examples of these states. To exemplify the process of national studies, the regulations, procedures, and case law regarding the right to be forgotten in Turkey will be briefly mentioned below.

The right to be forgotten has its constitutional basis fromArt. 20 of the Turkish Constitution, with the constitutional amendment made in 2010. The article constitutes that “Everyone has the right to request the protection of his/her personal data” [9].

The first judgment to begin creating a case-law about the subjectwas in June 2015, when the Turkish Court of Cassation examined an appeal of a lawsuit for intangible damages. In its decision, the Court made direct reference to the judgment of CJEU that was mentioned before in the article, with using the term “right to be forgotten” [10]. The claim for compensation which is the subject to appeal is about the violation of the applicant's personal rights caused by publishing the decision of a criminal case that was realized 4 years ago, in a book without censoring the name of the applicant, who was the victim of this case. In the decision, the Court defines the right to be forgotten as “the right to ask for the negative events of the past in the digital memory to be forgotten after a while, to be deleted and prevent the dissemination of personal data that others do not want to know, unless there is a superior public interest.” The court also stated that; considering the definitions of the right to be forgotten, although it is regulated for digital data, when the characteristics of this right and the relationship between this right and human rights are examined, it is clear that it should be accepted not only for personal data in the digital environment, but also for personal data kept in a place easily accessible by the public. In the end, the Court decided that the right to be forgotten of the applicant, as well as their right to privacy, has been violated, thus should be compensated.

The first case to evaluate the right to be forgotten as a fundamental right, however, was by the Constitutional Court of Republic of Turkey, in March 2016 [11]. The applicant had requested their name to be deleted from the archive database of an internet-based news site, which was initially mentioned in a news-report of 14 years ago. The Magistrate's Court had decided to accept the request on the grounds that the report subjected to the request was not up-to-date and newsworthy anymore; that there was no public interest for its remaining on the agenda; and that it included offending and destructive information concerning the relevant person's private life. When the decision of the court was revoked upon objection, the case was brought to the Constitutional Court. The Constitutional Court has assessed the case with two general principles of the Turkish Constitution: Right to protect and improve one's spiritual existence; and Freedom of Expression and Dissemination of Thought and Freedom of the Press. With a detailed examination under these principles and relevant Articles of the Constitution as well as the ECHR and leading scholars' opinions, the Court concluded that the news regarding the applicant should be evaluated within the scope of the right to be forgotten. Considering the opportunities provided by the internet, access to the news in question should be blocked in order to protect the applicant's honour and reputation. In that respect, the rejection of the request for blocking access has failed to strike a fair balance between the freedoms of expression and the press and the right to protection of spiritual integrity. Consequently, the Court has concluded that the applicant's right to protection of their honour and reputation has been violated and accepted their request for confidentiality of their identity in the documents accessible to the public.

Following this Judgment, Turkish Personal Data Protection Law No. 6698 has entered into force in April 2016 [12]. Being passed into law even before the GDPR has entered into force, the Law constitutes an important part of the Turkish legislation regarding personal data. The Law regulates its purpose and the scope, definitions, the principles and conditions for processing of personal data, the difference between processing “Special categories of personal data” and “personal data”, rights of the data subject and obligations of the controller, the Data Controllers' Registry, crimes and misdemeanors, the Personal Data Protection Authority (PDPA), the Personal Data Protection Board (PDPB) and its duties, as well as exemptions and other related topics. The PDPA is a public legal entity and has administrative and financial autonomy, has been established to carry out duties conferred on it under the Law. The most importantduty of PDPB regarding the subject of this article is that every data subject has the right to make a complaint to the PDPA with the claim of a violation of their rights [13]. However, it is a legal obligation to apply to the data controller before applying to the PDPA. In cases where the application is rejected by the data controller, the response is found to be insufficient, or the application is not responded within 30 days, a complaint may be made to the Board within 30 days from the date the data controller's response is learned, and in any case within 60 days from the date of the first application. Within the scope of this Law, many complaints were submitted to the PDPA with a request for the applicant's personal data to be permanently deleted, which has led to the latest development in Turkey: The Decision of the Personal Data Protection Board dated 22/07/2020 and numbered 2020/559 regarding “the transfer of personal data abroad based on Convention No. 108” [14].

With this decision, it is announced to the public that the applications concerning the right to be forgotten are considered as a supreme concept within the framework of the Constitution and Law No. 6698, and in this context, the relevant persons shall apply to the search engines regarding their requests to remove the search results from the index based on the procedures and periods specified in the provisions of the Law, and if the data controllers refuse or do not respond to the applicant, they may apply to the Board, whilst also directly applying for judicial remedies to restrict or block access to the subjects of the application.

In regard of the Law no. 5651, also known as the Internet Act, it is possible to remove content published on the Internet or to block access to the relevant section (URL) of the website where the content is accessible, under certain circumstances listed under Articles 8 and 9 [15]. With the amendments made to the Law in 2014, removal of content or blocking of access are now also applicable to violations of personal rights, violations of the right to privacy, and the use of the right to be forgotten in the scope of the Law. It has been stated that, in order for a piece of news to be removed from the internet within the scope of the right to be forgotten, the following facts are examined in a concrete case: the content of the publication, the duration of its broadcast, being out of date, not being accepted as historical data, contribution to the public interest, whether the subject of the news is a politician or a celebrity, the subject-matter of the news or article and whether the news contains factual facts or value judgments, public interest in relevant data. It was also stated that unless necessary, it should be decided against blocking access of the entire publication on the website in question [16].

In times of pandemic, the global community has got one more reason for its internal differently directed changes to give a rather quick reaction for its further existence and development in conditions of the fight against COVID-2019 [17, p. 439]. Prevention of human rights violations is a key part of the protective policy of every country in the world [18, p. 585]. Even talking about the implementation of the right to be forgotten, in COVID-2019 and post-COVID-2019 times the safety environment in this area has to be supported by modern legislation concerning legal technologies as regulatory-protective instruments that are used by national governments and involved international organizations [19, p. 456-457].

Conclusion

The right to be forgotten is one of the most important results of the internet in the field of human rights. In order not to misuse it, studies should be carried out in supranational sources for it to be regarded as a fundamental human right, and states should be able to prevent the violation of this right. However, the impartiality and sense of justice of the authorities that will carry out its supervision are of great importance in terms of ensuring the balance with valuable human rights such as freedom of expression and the press. Nowadays, despite having public interest and directly concerning the public, news regarding a natural or legal person that holds a certain political or mediatic power is being removed, deleted, or having their access blocked, within the scope of the “right to be forgotten”. On the other hand, some certain media organizations are found to be persistent in not removing news that is insignificant to the public or even contain false information about their subject, within the scope of “freedom of expression”. Therefore, it is of great importance that judicial practices are formed correctly regarding the topic. It should not be forgotten that human rights are first and foremost about and for people.

References

1. Gьlener Serdar. Deleting on Demand from Digital Memory: «The Right to be Forgotten» as a Fundamental Right. Journal of The Union of Turkish Bar Associations. Volume 25. Issue 102. October 2012. P. 219-240. URL: http://tbbdergisi. barobirlik. org.tr/m2012-102-1218 (date of access: 22.05.2021).

2. Зelik Yeзim. Protection of Personal Data as Reflection to the Privacy of Private Life and the Right to Forgotten for this Context. Journal of The Justice Academy of Turkey. Volume 8. Issue 32. October 2017. P. 391-410. URL: https://dergipark. org.tr/en/download/article-file/981639 (date of access: 22.05.2021).

3. Constitutional Court of Republic of Turkey Decision of Annulment M. 2014/122, D. 2015/123.30.12.2015. URL: https:// normkararlarbilgiban- kasi. anayasa. gov.tr/ ND/2015/123?EsasNo= 2014%2F122 (date of access: 22.05.2021).

4. Nalbantoglu Seray. Right to be Forgotten as a Fundamental Right. Journal of The Justice Academy of Turkey. Volume 9. Issue 35. July 2018. P. 583-605. URL: https://dergipark.org.tr/ en/download/article-file/980809 (date of access: .

5. Elmalica Hasan. The Right to be Forgotten as a Fundamental Human Right that the Information Age Has Discovered. Journal of Ankara University Faculty of Law. Volume 65. Issue 4. 2016. P. 1603-1636. URL: https://dergipark.org. tr/en/download/ article-file/621578 (date of access: 22.05.2021).

6. Viviane Reding's speech during The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age. Munich. 2012. URL: https://ec.europa.eu/commission/presscorne r/detail/en/ SPEECH_ 12_26 (date of access:.

7. Court of Justice of the European Union Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Espanola de Protection de Datos, Mario Costeja Gonzвlez. Press Release No 70/14.Luxembourg. 2014. URL: https:// cu- ria.europa.eu/ jcms/upload/docs/ application/ pdf/ 2014-05/cp140070en.pdf (date of access:.

8. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). URL: https://eur-lex. europa.eu/legal-content/ EN/ TXT/ PDF/ ?uri=CELEX:32016R0679 (date of access: .

9. Constitution of Republic of Turkey. URL: https://global. tbmm.gov.tr/ docs/ constitution_ en.pdf (date of access: 22.05.2021).

10. Court of Cassation of Republic of Turkey Plenary Assembly of Civil Chambers Judgment M. 2014/4-56, D. 2015/1679. 17.06.2015.

11. Constitutional Court of Republic of Turkey Plenary Judgment of applicant N.B.B. Application no: 2013/5653.03.03.2016. URL:https://kararlarbilgibankasi.anayasa.gov.tr/BB/2013/5653 (date of access: 22.05.2021).

12. Personal Data Protection Law No. 6698. URL: https://www.kvkk.gov.tr/Icerik/6649/ Person- al-Data-Protection-Law (date of access: 22.05.2021).

13. Personal Data Protection Authority. Information on Right to Lodge a Complaint. URL: https://kvkk.gov.tr/Icerik/6616/Right-to-Lodge-a- Complaint-with-the-Board- (date of access:.

14. Personal Data Protection Board Decision regarding the transfer of personal data abroad based on Convention No. 108. D. 2020/559. 22.07.2020. URL: https://www.kvkk.gov.tr/Icerik/6812/2020-559 (date of access: 22.05.2021).

15. Law on Regulation of Broadcasts via Internet and Combating Crimes Committed by Means of Such Publications. URL: https://www.mbkaya.com/ turkish-internet-law/ (date of access: 22.05.2021).

16. Court of Cassation of Republic of Turkey Criminal Chamber No. 19 Judgment M. 2016/15510,2017/5325. 05.06.2017.

17. Myronets O.M., Danyliuk I.V.,Dembytska N.M., Frantsuz-Yakovets T.A., Dei M.O. Current Issues and Prospects of Modern Higher Legal Education in Conditions of the Fight against COVID-19. Cuestiones Politicas. 2020, 37. P. 438456. DOI: 10.46398/cuestpol.3865.29.

18. Myronets O.M., Burdin M., Tsukan O., Nesteriak Yu. Prevention of human rights violation. Asia Life Sciences. 2019, 21 (2). Р. 577-591.

19. Myronets O., Olefir V., Golosnichenko I.,

Pyvovar Yu. Legal technologies as instruments of civil aviation safety improvement in conditions of the fight against COVID-2019. Revista de la Univer- sidad del Zulia. 2021,12 (32). P. 445-459.

DOI: 10.46925//rdluz.32.26.

Размещено на Allbest.ru