The Right To Be Forgotten Under Protection Of

ABSTRACT

One of the most frequently referred to concepts regarding personal data protection law at both national and international levels is the “right to be forgotten”. This is a right that aims to prevent sound, image, photograph or news on social media platforms relating to an individual’s past, regardless of whether real or not, having a negative impact on individual’s present and future. Due to it being very new and having arisen from technological developments, this right is still in question but it is of great importance to individuals who share their personal data on online platforms. It is interesting that it has begun to feature in judicial decisions. Beginning with an explanation of the right to be forgotten, this paper will then evaluate this right within the framework of privacy and the right to protection of personal data in the light of the constitution, legislation, and judicial decisions.

I. INTRODUCTION

With the development of the technology, it has become very easy for people to access and retrieve other people's data, especially via the internet. The personal data of anyone with an internet connection can become exposed to unlimited dangers through the internet. Data uploaded to the internet can be easily recorded, copied and published in different places. This makes it possible for another person to access someone’s personal data in a way that threatens their legal security. For this reason, the law of protection of personal data plays an important role in ensuring the personal rights and legal security of an individual’s private life. The regulations regarding the protection of personal data aim to protect an individual’s physical integrity, autonomy, and privacy in the face of serious collection and sharing of personal data1. In this regard, “the right to demand protection of personal data” serves as an umbrella of rights that includes the right to be forgotten.

II.THE RIGHT TO BE FORGOTTEN

The right to be forgotten is a right of a concerned person to request from an operato not to have their personal data linked to their name in search results2. This right gives individuals the right to demand that their data be irreversibly deleted and prevented from being if it has negative consequences or may have negative implications, contain insufficient or irrelevant information and that time has passed since its publication, and is annoying and unnecessary in light of publishing purposes. 

The right to be forgotten was first came up in the European Court of Justice case Google Spain SL, Google Inc (“Google”) vs. Agencia Española de Daececón de Datos, Mario Costeja González3. The European Court of Justice ruled that unless there is an overriding public interest, the internet search engine operator is responsible if the personal data presented by the third parties on the internet search engine is included in any work, even if it is scientific, and this data constitutes an attack on individual rights. Accordingly, the Court held that even though Google does not have the status of a member of the European Union, it is subject to the General Data Protection Regulation (“GDPR”) and as long as there is no legitimate reason not to delete personal data concerning an individual’s private life and there is no public interest in storing personal data, a search engine such as Google should not store or process search results about users after a period of time4. With this case, the right to be forgotten aims to eliminate or minimize the negative effects of the intrusion of technology on personal life and protect individuals’ private life and right to dignity against the abuses made possible by technological developments. 

One of the main features that distinguishes the right to be forgotten from other rights is that the subject of the right is not illegal data. The subject of the right to be forgotten is personal data that complies with the law when it is published. Personal data that is lawful at the time of publication can become illegal as time passes and conditions change, yet the individual's interest is likely to outweigh the public interest. It should be emphasized, however, that no period of time is stipulated; the change to a person's data may occur in any time period. The information subject to the right to be forgotten does not adapt to new realities because it has lost its social importance and has deteriorated in time5. 

The right to be forgotten does not propose an absolute protection; this right can be restricted by the law. Accordingly, the law provides limited exceptions. Within the scope of the Law on the Protection of Personal Data numbered 6698 (“LPPD”),6 an exception to the right to be forgotten is processing personal data with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute criminal matters7.

III.EVALUATION OF THE RIGHT TO BE FORGOTTEN IN THE LIGHT OF THE LAW ON PROTECTION OF PERSONAL DATA

Data transfer enabled with developing technology has raised the new issue of protection of personal data to a significant point. In the face of these developments, the protection of personal data, which may be called as a “treasure” of the future, has been recognized as a right under the constitutional provision about the privacy of private life8.

The first regulation about the protection of personal data is the Turkish Penal Code (“Turkish Penal Code”) numbered 5237. The Turkish Penal Code states that “(i)t is an offence to record9. obtain and give to another person10. and to disseminate and not destroy11. personal data unlawfully” and, considering the nature of the protection of legal value, it’s been envisaged as a matter of aggravation state if the personal data is related to another person’s political, philosophical or religious opinions, their racial origins, their illegal moral tendencies, sex lives, health and relations to trade unions12.

The protection of personal data is codified under the 20th Article of the Constitution with the 2nd Article of the Law No. 5982 in 2010. The Constitution proposes this right as a basic human right. Under this provision, everyone has the right to demand the protection of personal data related to them, the right to request protection of personal data, in which cases personal data can be processed, and the procedures and principles regarding the protection of personal data will be regulated by law. The procedures and principles regarding this right are included in the law for the protection of personal data. As a result of the law-making studies carried out in accordance with this matter, the LPPD came into force on 07.04.2016. The purpose of the Law is to protect the fundamental rights and freedoms of individuals, especially the privacy of their personal life in the processing of personal data13.

Personal data is not all data related to an individual in accordance with the law. Within the scope of the LPPD, personal data is defined as “all information relating to an idntified or identifiable natural person.” In order for an individual’s data to benefit from protection under this Law, the data should belong to a natural person and also this person should be able to be detected14. The data in question must be of a nature that distinguishes the individual from other individuals. 

In the LPPD, the processing of personal data is defined as “any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means”15. All processes such as recording, storing, collecting, organizing, obtaining, adopting, disseminating, disclosure to third parties of personal data in any way are included in the processing of data. 

In the modern world, technology makes it possible for individuals to carry out these operations easily and continuously while the processed personal data generates dangers for members of society. Social media platforms are actively used by billions of people who share individuals’ personal data on these platforms. Given this situation, it is clear how important it is to protect personal data in the internet environment. 

The law of the protection of personal data sets out the procedures and principles that will ensure the privacy of private life and plays an important function in the realization of this right16. The protection of personal data mainly refers to the protection of the rights and freedoms of the individual and the limitation to data processing activities during the processing of personal data17. This right aims to protect the privacy of personal information and the privacy aspect of private life. Individuals may control the conditions under which their personal information can be collected and used as the main function of the protection of personal data18. Accordingly, the right to be forgotten can be evaluated as a right for whom personal data collection and processing may be controlled.

In Europe, the right to be forgotten, which has been adopted in European Court of Justice decisions and under the European Union General Data Protection Regulation ("GDPR") and came into force on 05.05.2018, has not yet been adopted by Turkish Law. However, it is possible to exercise the right to be forgotten if certain principles stipulated in the regulation on the protection of personal data are applied together. Those principles related to the right to be forgotten19. regarding the processing of personal data are as follows: “accuracy and being up to date,” “being relevant with, limited to and proportionate to the purposes for which they are processed” and “being retained for the time stipulated by relevant legislation or the purpose for which they are processed.” Of these principles, the one directly related to the right to be forgotten is the principle of “being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.” If there is a period of time specified by law for data retention, the data controller must comply. If there is no specified time for data retention, the data should be stored only for as long as the processing purpose requires. If the period specified in the law expires, the purpose of processing the data disappears, or the reasons that justify the processing of the data disappears, the data shall be deleted or anonymized. 

Although the right to be forgotten is not clearly mentioned in the Law, the following provision is associated with the right to be forgotten: 

“Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destroyed or anonymized by the controller, ex officio or upon demand by the data subject, upon the disappearance of reasons which require the process”20. As understood from that provision, this Article guarantees individuals the right to be forgotten. Although it is not explicitly defined under the law, the right is a view of the individual's right to request the removal of personal data that he/she does not want others to see from the virtual environment. 

The European Union General Data Protection Regulation ("GDPR"), which came into force on 05.05.2018, contains regulations that serve the exercise of the right to be forgotten and in this context, Article 17 titled Right to Erasure (right to be forgotten) is as follows: 

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay (…)” Following this regulation, situations where data should be "erased without undue delay" are clearly stated. Accordingly, it is possible to exercise the right to be forgotten in cases such as if the data subject withdraws consent where the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; if the personal data is unlawfully processed; if the personal data is processed to offer information society services to children; and if the personal data shall be erased for compliance with a legal obligation to which the controller is subject. 

This regulation of the European Union includes five exceptions that prevent the right to be forgotten from being exercised21. These exceptions are: it is exercising the right of freedom of expression and information, it is clearly provided for by the laws, it is processed within the scope of public interest, public health and scientific or historical research purposes, and it is for fulfilling legal demands. 

The right to be forgotten is not regulated in the law as stated above. However, Supreme Court and Constitutional Court decisions may include the right to be forgotten in certain cases. 

With application number 2013/5653 dated 03.03.2016, the Constitutional Court held that:

“Although the right to be forgotten is not clearly regulated in the Constitution, in view of the right to honour and dignity as part of corporeal and spiritual existence of the individual regulated in Article 17 of the Constitution and the right to request the protection of personal data secured in paragraph 3 of Article 20 of the Constitution, it is clear that the state has an obligation for citizens to give the opportunity to open a new page in their life by preventing other people from reaching the past events.” 

The General Assembly of the Supreme Court also held that22. 

“When it comes to the right to be forgotten; the right to be forgotten and the storage or retention of personal data to the extent necessary for the shortest period of time, in fact, constitutes the roof of the right to protect personal data. The basis of both rights is to enable the individual to freely save on his personal data, make plans for the future without getting stuck in the obstacle of the past and prevent the use of personal data against the person. With the right to be forgotten, it is ensured that the future of the person is not negatively affected by an event caused in the past by his or her own will or by a third party. It is indisputable that if an individual becomes able to shape his or her future by getting rid of the negative effects of the past, this will improve the quality of society as well as benefiting the individual.

The right to be forgotten can be defined as a right to demand that the negative events that take place in digital memory and happened in the past can be forgotten after a while and the erasure and prevention of the spread of the personal data that the data subject does not want others to know, unless there is a superior public interest. 

On one hand, this right gives people the power to “control the past”, “erase certain matters from his or her past and not to be remembered. On the other hand, it imposes an obligation to its addressees that certain information about the person should not be used by third parties and the addressees should take measures to prevent third parties from remembering. It is accepted that besides giving individuals the right to force third parties to delete content about themselves such as photographs, internet diary, this right also gives individuals the right to demand the removal of information about past penalties or information and photos that may cause negative comments about them. On the other hand, this right requires measures to be taken in order for certain aspects of the individual in the past to be not remembered.

” Although the right to be forgotten is not explicitly foreseen by the relevant legislation, or deemed debatable within the scope of the dispute, it appears as a right that can be demanded directly within the scope of the protection of personal data. Again, the 19th Criminal Chamber of the Supreme Court23. held that by referring the Google Decision of the Court of Justice, which constitutes the basis of the right to be forgotten:

“The plaintiff wants a bad incident in the past to be erased from public memory. With the right to be forgotten, he wants to freely shape his future by forgetting an unfortunate incident in his past, in other words, the opportunity to open a new page in his life. Moreover, the plaintiff also insisted on this request in their petitions during the trial. With the right to be forgotten, the plaintiff wants that personal data concerning her private life are not known to third parties and erased from the community memory due to the time that has passed. Since the name of the person who was the victim of an incident 4 years ago is clearly written and included in the book, it should be accepted that the right to be forgotten and as a result of this the privacy of the plaintiff's private life has been violated. Since there are no specific reasons for a superior public interest in the form of the important role of the relevant data in public life and the public's intense interest in the data, as explained by the European Court of Justice in the "Google Decision", the personal data should not be explicitly included in the scientific work that includes judicial decisions….” 

The decision in question is also important in the sense that it indicates that the scope of the right to be forgotten cannot only be the digital environment and that the criteria used in determining the scope of the right is “ to be kept in a place where the public can easily access it.” 

IV. CONCLUSION

With the right to be forgotten, an individual has the right to remove content which remains in his or her past, does not reflect the current situation and is an annoyance to him or herself. In accordance with the principle of proportionality, the processing of personal data forms the basis of the right to protection of personal data. Although the right to be forgotten is not explicitly expressed in the LPPD, following the Supreme Court and the Constitutional Court decisions given above, it is clearly evaluated that the right in question finds protection, especially within the scope of general principles regarding the processing of personal data. In that regard, with the right to be forgotten individuals establish control over their personal data. In this respect, the right of individuals to demand the removal of personal data that is being processed within the framework of the privacy principle is essential for the protection of personal data.

BIBLIOGRAPHY

ELIF KUZECI, Kisisel Verilerin Korunması, Beta, 2. Edition, Ankara, 2018.

EREN SOZUER, Unutulma Hakkı: Insan Hakları Hukuku Perspektifinden Bir Inceleme, On Iki Levha, Istanbul, 2017.

NAFIYE YUCEDAG, “Kisisel Verilerin Korunması Hukukunun Genel Ilkeleri”, Kisisel Verileri Koruma Dergisi, Volume 1, Issue 1, pp. 47-63.

NORBERTO NUNO GOMES DE ANDRADE, “Oblivion: The Right to Be Different from Oneself. Reproposing the Right to be Forgotten”, VII International Conference on Internet, Law & Politics. Net Neutrality and other challenges for the future of the Internet”, IDP. Revista de Internet, Derecho y Política. No. 13.

NORBETO NUNO GOMES DE ANDRADE, “Data Protection, Privacy and Identity: Distinguishing Concepts and Articulating Rights”, 6th International Summer School (ISS), Helsingborg, Sweden 2010, pp. 90-107.

OĞUZ SIMSEK, Anayasa Hukukunda Kişisel Verilerin Korunması, Beta, Istanbul 2008.

CAN YAVUZ, İnternet’teki Arama Sonuçlarından Kişisel Verilerin Kaldırılması Unutulma Hakkı, Seckin, Ankara, 2016.

FOOTNOTE

1 Lee A. Byragave, Data Privacy Law, p. 8; A. Rouvroy / Y. Poullet, p. 70, cited from Eren Sozuer, Unutulma Hakkı: İnsan Hakları Hukuku Perspektifinden Bir Inceleme, Oniki Levha, Istanbul 2017, p. 63.

2 Yavuz Can, Internet’teki Arama Sonuçlarından Kişisel Verilerin Kaldırılması Unutulma Hakkı, Seçkin, Ankara 2016, p. 43

3 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, The Court of Justice of the European Union, C- 131/12, 13.05.2014, Press Release No 70/14.

4 Ibid.

5 Norberto Nuno Gomes de Andrade, “Oblivion: The Right to Be Different from Oneself. Reproposing the Right to be Forgetton”, VII International Conference on Internet, Law & Politics. Net Neutrality and other challenges for the future of the Internet”, IDP. Revista de Internet, Derecho y Política. No. 13, p. 127.

6 The Law on the Protection of Personal Data, No. 6698 RG. 4.7.2016, No: 29677.

7 For all the exceptions, see The Law on the Protection of Personal Data, Art. 28/ 1.f. 

8 The Constitution of the Republic of Turkey, Art. 20: “Everyone has the right to request the protection of his/ her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person’s explicit consent. The principles and procedures regarding the protection of personal data shall be laid down in law.”

9 The Turkish Penal Code, Art. 135

10 The Turkish Penal Code, Art. 136.

11 The Turkish Penal Code, Art. 138

12 The Turkish Penal Code, Art.137 Headed “Qualified Versions” Where the offences defined in the above articles are committed; a) by a public official misusing his power derived form his public post, or b) by benefiting from the privileges derived from a profession or trade. the penalty to be imposed shall be increased by one half

13 The Law on the Protection of Personal Data, Art. 1. 

14 Elif Kuzeci, Kişisel Verilerin Korunması, Beta, 2. Edition, Ankara, 2018, p. 9.

15 The Law on the Protection of Personal Data, Art.3 / 1.( e).

16 Andrade, p. 96.

17 Oğuz Simsek, Anayasa Hukukunda Kişisel Verilerin Korunması, Beta, İstanbul 2008, p. 95.

18 Rouvroy / Poullet, p. 68. cited from Sozuer, p. 64. 

19 For detailed information about the General Principles, see, Nafiye Yücedag, “Kişisel Verilerin Korunması Hukukunun Genel Ilkeleri”, Kişisel Verileri Koruma Dergisi, Volume 1, Issue 1, pp. 47-63. 

20 The Law on the protection of Personal Data, Art..7 /1f. 

21 General Data Protection Regulation, Art. 17/3f. 

22 The Court of Cassation, E. 2014/4- 56, K. 2015/1679 K., T. 17.06.2015.  

23 The Court of Cassation 19. CD., E. 2018/3318, K. 2018/9281, T. 24.09.2018.