Right to be Forgotten: Right Here, Right Now?

Headlines these past two weeks are riddled with reports of online news outlet Rappler’s legal woes. First, the Securities and Exchange Commission orders the company to close shop for supposedly violating a provision in the 1987 Constitution regarding mass media ownership and management. Then came news of a cyber-libel complaint filed against three of its own based on a piece published almost six years ago today in March 2012.

An article on the cyber-libel charge mentioned a concept that piqued my interest: the right to be forgotten (RTBF). It explained that this right gives a person the power to request the removal of personal information if the entity responsible for its publication (online) cannot justify it. Apparently, there are indicators that it may be creeping into Philippine shores and these attempts to clamp down on mass media are just the tip of the proverbial iceberg.

Is there truth to this? Is RTBF knocking on our doors and we should all be wary and afraid? More importantly, perhaps, would it be so bad? After all, we now live in a time when trolls run amok in cyberspace  and so-called “fake news” cause so much trouble and controversy for a lot of people.

A crash course on RTBF, as established in the European Union (EU), is in order.

It all started with a Spanish national, Mario Costeja Gonzalez, who hated the fact that when you search for his name online, you’d know that in 1998 some of his properties had been sold or auctioned off to pay for social security debts. He complained against the newspaper, La Vanguardia, which posted the auction announcements, and Google, which has control over 70% of the search engine market in the world. When his complaint went nowhere, he raised his concern before the Spanish Data Protection Agency—the counterpart of our own National Privacy Commission. The agency sided with him. Google appealed the matter to Spain’s high court, which, in turn, referred a series of questions to the Court of Justice of the European Union (CJEU). The CJEU is the EU’s judicial institution and ensures that EU law is interpreted and applied the same in every EU country.

Much to the surprise of many, Costeja Gonzalez won.

The EU court held that Google has responsibilities under EU data protection law, like removing search links whenever requested by EU citizens, as long as these requests meet certain tests. It believes that, after some time, even initially lawful processing of accurate personal data may become incompatible with the EU Directive on Data Protection, such as when the data is already “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”

A person doesn’t have to show that a particular search link led to an actual injury or damage in order to successfully ask for its delisting or de-indexing. Unless he or she is a public figure or society has a greater interest in accessing information about him or her, this person’s rights are superior to both the economic interest of a search engine company and the interest of the general public.

Perhaps to quell fears that its decision would unduly infringe on free expression, the court attempted to compromise by permitting the original texts to remain accessible and unchanged.

Now, with this background, is it accurate to say that RTBF has legal footing here in the Philippines?

We need to look into our Data Privacy Act (DPA) to address that. The EU court’s decision was, after all,  anchored on the region’s data protection law. That law is the foundation of our DPA.

According to the DPA, an individual has rights that he or she can invoke against another person or an organization (also called a “personal information controller” or “PIC”) that has his or her personal data.

One of them has to do with stopping the processing of one’s personal data, or ordering the withdrawal, blocking, removal, or destruction of that data in the filing system of the PIC—if the data are incomplete, outdated, false, being used for unauthorized purposes, no longer necessary for the purpose of their collection, or if they were unlawfully obtained.

Sounds familiar, right?

With this, I believe it is proper to state that an RTBF could exist right here in our own little corner of the world. Would it apply to journalists or mass media units like Rappler or this platform? If the EU court’s decision is any indication, that is most unlikely. Also, there are several provisions in our DPA that affords protection to free speech, free expression, and a free press. That which excludes personal information processed for journalistic purposes from the scope of the law is one.

But what of RTBF itself—is it good? Is it bad? Is it something to fear, or something to be celebrated?

A column like this would not be enough to answer these questions. I am prepared to concede though that there has yet to be an internationally recognized and enforceable basic right to be forgotten. The new EU data protection law (i.e., General Data Protection Regulation) that’s about to take effect this May does include a section entitled “Right to erasure (“right to be forgotten”)”, but we’ll have to wait and see how that one fares first before we can make a proper assessment.

I also acknowledge the need for a more serious and thorough discussion of this subject. The EU decision, as its critics point out, leaves a lot to be desired. It contains very little guidance for search engines about the process they should take in order to decide on delisting requests. And as far as the criteria it established to help make delisting decisions, they are open-ended and quite subjective. It’s bad enough when you give that much leeway to governments—do we really want to give the private sector the enormous power to censor content online (or at least make things more difficult to find)?

Associated issues are also plenty and diverse. It’s not all about free speech and privacy. Discourses on discovery, history, integrity of public records, the right to information, and the very human needs to forget and to forgive are all at stake.

We now live in a world where support for completely unregulated freedom of speech—especially online—has waned significantly as the implications of the free flows of information have become more evident. In particular, there’s the fact that the fertile environment that’s allowed for easier information dissemination and more meaningful discussions across the globe is the very same culprit that’s given birth to our modern-day trolls and the fake news phenomenon. That said, data privacy, rebranded as the right to be forgotten, however well-intentioned, does threaten to shrink and chill free expression if left in its current state. No rational person—privacy advocate or otherwise—should allow that to happen.

Jamael Jacob is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.