Tech giant and search engine provider Google announced on April 27 that it will allow people to request for the deletion from its search results websites containing their personal contact information such as phone numbers, e-mail addresses, and physical addresses, as well as any information that can be used for identity theft. However, the request will be subjected to evaluation — it shall be denied when the web page containing the information is broadly useful, as in the case of news articles, or when the information is part of the public record on government or official websites. Meanwhile, the removal of the information from the search results does not entail its removal from the web page itself. Still, data subjects or users are not left without further remedy.
The “Right to Be Forgotten” (RTBF) under the General Data Protection Regulation of the European Union (GDPR) provides that data subjects, on specified grounds, shall have the right to demand the erasure of personal data concerning him or her without undue delay.
While the RTBF has been discussed in older court decisions, it is the case of Google Spain v. AEPD (2014) that paved way for the inclusion of the RTBF in GDPR. In this case, the European Union Court of Justice ordered the removal of newspaper articles referring to the complainant’s previous attachment and garnishment case from Google’s search results, when his name is entered. The court reasoned that the rights to privacy and protection of personal data override not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.
The RTBF finds its Philippine counterpart in the right to erasure or blocking under the Data Privacy Act (DPA). Under the DPA, data subjects are granted the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her personal information from persons or entities who collect, hold, process, or use it.
This right may be exercised on the grounds that the personal data is incomplete, outdated, false, or unlawfully obtained; the personal data is being used for a purpose not authorized by the data subject; the personal data is no longer necessary for the purposes for which they were collected; the data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing; the personal data concerns private information that is prejudicial to the data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized; the processing is unlawful; the personal information controller or personal information processor violated the rights of the data subject.
No distinction or qualification is made as to where the erasure or blocking shall apply or refer to. Thus, unless the government or the National Privacy Commission (NPC) comes out with specific rules, it can be interpreted that this right can be exercised against any persons or entities who hold or process the information, including those who manage websites that contain the disputed information.
To enforce this right, data subjects can first execute a written request with supporting documents to the Data Protection Officer (DPO) of the concerned entity. The letter must state that the request is being made in exercise of the right to erasure. The DPO must act on the written request and in the absence of or the impropriety of the action undertaken, a formal complaint may then be filed before the NPC.
In some cases, the attempt to enforce the RTBF results in unintended and opposite consequences: the information sought to be forgotten becomes immortalized and accessible by the public. This paradox is also called the Streisand Effect. The term originated from a case involving the demand of a famous singer to have the photo of her residence removed from a website. The court proceedings found their way to several news outlets around the country, stirring up the public’s curiosity. This resulted in an increase in website traffic and downloads of the photo.
As a safeguard against this phenomenon, the DPA and its Implementing Rules mandate that members, employees, and consultants of the NPC are required to ensure the confidentiality of any personal data that come to their knowledge and possession. In observance of this policy, the NPC maintains the confidentiality of its proceedings. In issuing its decisions and advisory opinions, the NPC abbreviates or redacts the name of the concerned parties, and omits unnecessary details that could lead to their identification. Thus, with these measures in line, the right to be forgotten will unironically be enforced, if recognized.
This article is for general informational and educational purposes only and not offered as, and does not constitute, legal advice or legal opinion.
ANDREW STEPHEN S. LOTA is an associate in the Intellectual Property Department of the Angara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW).