Abstract
In the information-oriented society, enormous amount of personal data is continuously being accumulated especially on cyberspace. But the semi-permanency of the Internet makes it harder to eliminate personal information. Thus, the concept of the right to be forgotten came to the fore in many societies. Among the societies, European Union has actively discussed about the substantive concept, possible legislation, and eventually brought out a significant judgment of approving the right to be forgotten. However, there are still negative reactions towards the European Union’s approach like the attitude of the United States, insisting on value of the freedom of expression. In this situation, Korea has several regulations, which contain the idea of the right to be forgotten. The Personal Information Protection Act and the Act on Promotion of Information and Communications Networks Utilization and Information Protection, Etc. stipulates the right to request for deletion of personal information in certain conditions. Even with the existence of the Acts, it is necessary for Korea to examine the European Union’s approach and to complement the weaknesses of the current law.
Ⅰ. Introduction
In the present age, so called the information-oriented society, an enormous amount of data including personal information is continuously being accumulated.[1] This phenomenon is accelerating due to the development of mobile technology and the increased use of smart phone. Indeed, the Social Network Service users are spreading out their personal information – such as status of relationships, photographs, or even daily routine- by themselves to the virtual space. In this large space, not only accumulation but also copy and diffusion of information are easily done. It is inevitably becoming hard to erase a particular data, and even harder to delete the duplication. For this reason, necessity of the right to be forgotten, the right to require deletion of one’s personal information floating on the internet, is under discussion in many societies.
The idea of the right to be forgotten was especially a hot issue in Europe, compared to other societies. In 2010, around 90 people in Spain had sued Google for erasure of their personal information which was being searched continuously on the Google website. Among the plaintiffs, there was a victim of domestic violence who did not want her home address to be found on related articles, which could be searched on Google. Another Spanish old lady wanted her record of arrestment in her 20s to be erased permanently on Google. In this regard, Agencia Española de Protección de Datos (AEPD; the Information Protection Board of Spain) ordered the defendant, Google, to delete articles that contained names of the plaintiffs from the index.[2] The decision of AEPD represented the Spanish government’s view, that plaintiffs have the right to be erased. This case aroused controversy over the right to be forgotten in Europe.
As a result, the concept of the right to be forgotten was initially mentioned on the General Data Protection Regulation (GDPR) of Europe in 2012.[3] Accordingly, the Court of Justice of the European Union (ECJ) delivered a judgment on the acknowledgement of the right to be forgotten in May, 2014. [4] Even though the verdict of ECJ may only be valid among the countries of European Union, the approval of the new right seems to stir up a discussion worldwide. The parties who lay emphasis on the protection of the personal information might agree with the judgment of ECJ. On the other hand, the parties who highlight the freedom of expression, such as the United States, might disagree with the result and advocate for the liberty on Internet.
Therefore, Korean society need to analyze the concept of the right to be forgotten based on the GDPR and the judgment of ECJ. Then, the opposing opinion, especially the attitude of the United States, needs to be reviewed carefully. On the basis of such examination, it is necessary to make a comparison with the legislation of Korea and to seek a rational access to form the idea of the right to be forgotten in Korea.
Ⅱ. Different Point Of View: The European Union & the United States
- European Union
(1) The Stipulation of the Right To Be Forgotten
The right to be forgotten signifies the right to ask an opponent for the erasure of one’s personal information especially on cyberspace. In 2012, the expression of the ‘right to be forgotten’ was written on the proposal of the General Data Protection Regulation (GDPR) of Europe for the very first time. See the part of the establishment of the right to be forgotten stipulated in the GDPR, Article 17.1: The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
(c) the data subject objects to the processing of personal data pursuant to Article 19;
(d) the processing of the data does not comply with this Regulation for other reasons.[5]
In short, there are four different cases which bring the right to be forgotten into existence. The scope of the ‘personal data’ written here is broad since the proposal of the GDPR defines it as every information related to the data subjects.[6]
The right to be forgotten imposes duties to the subject so called ‘the controller’. The controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data”.[7] Check the legal force of the right to be forgotten and to erasure mentioned in the GDPR. Article 17.2:
Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorized a third party publication of personal data, the controller shall be considered responsible for that publication.[8]
In summary, the proposal of GDPR had suggested not only the European Union, but also other countries the framework for the legislation of the right to be forgotten. Despite difficulties of the formation a new kind of human right, the European Union carried on the pioneering endeavor in this territory.
(2) The Judgment of the Court of Justice of the European Union (ECJ)
In May 2014, the ECJ delivered a judgment on the right to be forgotten. This was the first judgment of the ECJ to approve the right to be forgotten officially.[9] The case was about a Spanish man, Mario Costeja González, arguing that it is irrational for Google Spain to enable anyone to search for an auction notice of his repossessed home dating back from 1998, on a mass circulation newspaper website in Catalonia. He insisted that issues about his property have no reasons to be linked on Google until now. Finally, the ECJ ruled that under the existing European Union data protection laws, Google has the duty to erase the links to particular websites from the web results when Mario Costeja González’s name is put into the search engine. [10]
The judgment of the ECJ has three controversial points. First of all, it implies the range of territoriality of the European Union’s rules. Although the physical server of a company is located outside Europe, European Union’s rules apply to search engine operators if they have a branch or a subsidiary in a Member State of European Union.[11] Secondly, the verdict shows applicability of the European Union’s data protection rules to search engines, which is regarded as the controller of personal data (remind the ‘controller’ on page 3). Lastly, the judgment acknowledges that the individuals have the right to be forgotten – the right to ask search engines to eliminate links with their personal information. Exercising this right is valid when personal information is inaccurate, inadequate, irrelevant or excessive for purposes of the data processing.[12] Nevertheless, ECJ pronounces that the right to be forgotten is not unconditional. Obviously, it should maintain a balance between other fundamental rights.[13]
- United States
In contrast to the European Union, the United States is somewhat rigorous on the application of the right to be forgotten.[14] A lot of the United States commentators opposed to proposal of the right to be forgotten and even described the European Union regulators as “foggy thinking”.[15] This is mainly is because the idea of the right to be forgotten conflicts with the fundamental rights of US – freedom of expression and of the press.[16] In fact, the First Amendment, which guarantees freedom concerning expression, religion, assembly, and the right to petition, implies that the United States puts emphasis on freedom of expression. In the United States Constitution, the First Amendment “plays particularly an important role in court practice and seems to have reached a prevailing level as an entrenched right in comparison with other fundamental rights.”[17] Since the justification for limiting the freedom of speech was tied to the constitutional scrutiny of “highest order” of public confidentiality interest, therefore, the court practice tended to outline the potential scope of a right to be forgotten in quite a narrow way.[18] Meanwhile, other commentators even predicted that the idea of the European Union might allow a property right in information. For better understanding, see the case of ‘Florida Star’:
B.J.F. was a woman who reported to the Sheriff’s Office that she had been robbed and sexually assaulted. Since the Sheriff’s department allowed the newspaper Florida Star to access the police report including the victim’s name without restriction, a junior reporter sent the copy of the report to Florida Star. As a result, though it was against the internal policy of Florida Star and the state law of Florida, the case was reported in public with the victim’s name. In spite of the fact that B.J.F. submitted a case to the Florida State Court, the Supreme Court noted that it is against the First Amendment to impose a newspaper company the liability for damages.[19]
However, there are still some positive viewpoints towards the right to be forgotten. For instance, some suggested that children should be guaranteed to erase the carelessly posted personal data.[20] Besides, there are some opinions which “noted that the concept of ‘forgive and forget’ embodies a fundamental human value, and that the United States law recognizes at least some elements of a ‘right to be forgotten’.”[21]
In conclusion, the overall perspective of the United States indicates that a deliberate consideration is needed when accepting the concept of the right to be forgotten. It is needless to say that balancing the conflicting interest, especially the freedom of expression and the right to be forgotten, is truly a significant matter. Thus, the attempts of reconciling the two contrasting views, the United States’ and European Union’s, will stimulate the societies to create even more rational form of legislation for the right to be forgotten. To find a possibility of a harmony, check Yahoo!, Inc. v. La Ligue Contre Le Racisme Et L’Antisémitisme for reference:
In Yahoo!, Inc. v. La Ligue Contre Le Racisme Et L’Antisémitisme, the Ninth Circuit noted that ‘the extent of First Amendment protection of speech accessible solely by those outside the United States is a difficult and, to some degree, unresolved issue…’, when reversing a lower court decision which refused on First Amendment grounds to enforce a French court decision compelling Yahoo to halt sales of Nazi memorabilia (illegal in France) on its site.[22]
The case shows that First Amendment protections are not absolute, at least in the context of foreign-related speech. Indeed, there are some more cases in the United States that the concerns of First Amendment are diminished in the context of international communications.[23]
Ⅲ. The Right to be Forgotten in Korea
- Personal Information Protection Act of Korea
To begin a discussion of the right to be forgotten in Korea, it is necessary to identify the current legislation of domestic law as well as to review the relevant issues developed in the European Union. Also, precise comparison between the two aspects is required. To move ahead with the discussion, it is indispensable to examine the Personal Information Protection Act of Korea. The Personal Information Protection Act guarantees a subject of information the right to request correction and deletion of personal data (Article 36), and the right to request suspension of managing one’s personal information (Article 37).
Indeed, Article 36 seems to have a similar point with the European Union’s right to be forgotten.[24] A subject of information may request a personal information manager to correct or delete his or her personal information. However, if other Acts and subordinate statutes stipulate the particular personal information to be collected, the subject of information shall not request the deletion.[25] When received a request from a subject of information, a personal information manager shall investigate the personal information in question without delay, take necessary measures, such as correction, deletion, and etc. based on a request from the subject of information, and notify the subject of information of the result unless other Acts and subordinate statutes stipulate special procedures for correction or deletion of the personal information.[26] When a personal information manager deletes personal information pursuant to the condition above, he or she shall take measures to prevent the personal information from being recovered or recycled.[27]
- Act on Promotion of Information and Communications Networks Utilization
The Act on Promotion of Information and Communications Networks Utilization and Information Protection, Etc. in comparison with the Personal Information Protection Act, is intended for treatment of personal information between the provider, the user, and communications service. Among the Acts, Article 29, Article 30, and Article 44-2 are focused on deletion of personal information. When the provider of information and communication services achieves the purpose of gathering personal information or achieves the purpose of being provided with the personal information, he or she shall promptly dispose of the relevant personal information. Provided, that the same shall not apply to a case where other Acts and subordinate statutes require the preservation of such personal information.[28] Moreover, the user may at any time withdraw his or her agreement towards the collection, usage, provision of his or her personal information which was given to the provider.[29] If the information provided to the information and communications network in public creates problems such as invasion of privacy or defamation, the invaded may ask for deletion.[30]
- Comparison between the European Union & Korea
The approaches towards the right to be forgotten between European Union and Korea have a lot of differences. Compared to the proposal of General Data Protection Regulation (GDPR), Korea’s Personal Information Protection Act does not restrict the conditions for exercising the right so that it expands the denotation of the right. This leaves rooms for abuse of the right.[31] On the other hand, Personal Information Protection Act has higher legal stability than the system of European Union due to precise and specific reasons of limitation for the right.[32]
In addition, the range of application scope of the right to be forgotten is different. In Korea, the information stored by the personal information processor and certain information such as invading privacy are the actual subjects of application of the right to be erased. In contrast, the legislation of European Union not only includes the information stored by personal information processor, but also overall information related to a subject either offered voluntarily or copied or linked. Therefore, which technologies of gathering information should be asked to erase is still a discussion.[33]
Ⅳ. Conclusion
The right to be forgotten is not a new issue in Korea. There are related Acts that are currently valid. However, the judgment of the ECJ arouses even more intensified discussion about the idea of the right than before. By understanding aspects of the European Union, it may be possible to seek solutions for weaknesses of the domestic legislation in Korea.
Above all, restrictions on conditions for exercising the right are needed to narrow the denotation. Specific limitations are required so that exercising of the right can maintain balance with actual situations, social circumstances, or the national conscience. Secondly, attempts to reconcile the right to be forgotten with Acts from other fields are necessary. Remember the case from Google showing the link between the right to be forgotten and International law. Finally, adoption of the European Union approach can be considered to have created a substantive right. However, this is not a simple issue. Therefore, it is very important to examine the possible problems of adopting the right to be forgotten as a new kind of right from all angles.
[1] Eunbyul Ko et al, Implementing Differences of Right to be Forgotten Between EU and Korea – Comparative Analysis in the Perspective of Personal Information Protection, Communications of the Korean Institute of Information Scientists and Engineers, Vol. 30, Issue 10, 34, 34 (2012).
[2] Kyunghwan Kim, Knowing Information Protection Law [26] The Right to be Forgotten: The Whole World is at law, Boan News (Feb. 19, 2013), http://www.boannews.com/media/view.asp?idx=34910&kind=1 (last visited Jan. 2015).
[3] Choi, Kyoung-Jin, The Judgment of the Court of Justice of the European Union on ‘Right to be Forgotten’ and Its Implications, Dankook Law Review, Vol. 38, Issue 3, 47, 70 (Sep. 2014).
[4] Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez, Case C-131/12 (May 2014).
[5] The proposal of General Data Protection Regulation Article 17.1 (2012).
[6] Park, Jeong-Hun, A Right to be Forgotten, Freedom of Speech and Data Privacy, Study of Public Law, Vol. 14, Issue 2, 569, 577 (May, 2013).
[7] Supra note 5, Article 4.5.
[8] Ibid., Article 17.2.
[9] See, e.g., Alan Travis & Charles Arthur, EU court backs ‘right to be forgotten’: Google must amend results on request, The Guardian (May 13, 2014), http://www.theguardian.com/technology/2014/may/13/right-to-be-forgotten-eu-court-google-search-results (last visited Dec., 2014).
[10] Ibid.
[11] Supra note 3, at 53.
[12] Id.at 53.
[13] Id at 53.
[14] See, e.g., Daniel Fisher, Europe’s `Right To Be Forgotten’ Clashes With U.S. Right To Know, Forbes (May 16, 2014), http://www.forbes.com/sites/danielfisher/2014/05/16/europes-right-to-be-forgotten-clashes-with-u-s-right-to-know/ (last visited Dec., 2014).
[15] Steven C. Bennett, The “Right to Be Forgotten”:Reconciling EU and US Perspectives, 30 Berkeley J. Int’l Law. 161, , 164 (2012), available at http://scholarship.law.berkeley.edu/bjil/vol30/iss1/4.
[16] Id. at 165.
[17] Rolf H. Weber, The Right to Be Forgotten: More Than a Pandora’s Box?, JIPITEC, 120, 122 (2011).
[18] Id. at 122.
[19] Supra note 5, at 587.
[20] Supra note 13, at 166.
[21] Id. at 167.
[22] Id. at 172.
[23] Id. at 172.
[24] Supra note 3, at 75.
[25] Personal Information Protection Act Article 36.1.
[26] Ibid., Article 36.2.
[27] Ibid., Article 36.3.
[28] Act on Promotion of Information and Communications Networks Utilization and Information Protection, Etc. Article 29.
[29] Ibid., Article 30.1.
[30] Supra note 1, at 38.
[31] Supra note 3, at 82.
[32] Id. at 82.
[33] Supra note 1, at 39.
1stdayofdecember@gmail.com