Consideration of the Legislation for the Right to be Forgotten

 

Abstract

            In 2012, European countries which especially have been actively discussed of right to be forgotten legalized it. European commission announced ‘Proposal for a Data Protection Regulation’ which secure a wide scope of data protection. Right to be forgotten is also actively discussed in each country because harm of personal rights from searching and revealing personal information online is increased significantly. Right to be forgotten is a right of self-control over personal information online. The data subject shall demand the controller deleting or correcting any data related to the data subject. Deleting data could cause some problems. Freedom of speech would be destroyed due to unlimited deletion of articles and materials. Technological problem restricts perfect data protection. Internet is too broad to delete every data related to data subject and duplication cannot be figure out completely. Moreover, global enterprises are in opposition to right to be forgotten because of their interests. The burden of expense and technology are also problems. By comparing EU and Korean law about data protection, each government has to seek reasonable and limited standard of securing right to be forgotten considering the state of 4 issues in each country.

 

. Introduction

‘Googling’ is not a new or weird word any more. It has become a common synonym for searching. People have become familiar to using search engines with the propagation of private computers and the Internet. Contrary to the age before the popularization of the Internet, searching for information has become remarkably easy and comfortable. In addition, the popularization of SNS, the Social Network Service, enabled people to find more private information of someone without difficulty. People tend to share their own lifestyle, photography or even personal data with their SNS friends. It means that there is stronger possibility of exposure of your information to a total stranger. Unwanted personal data could be searched and revealed. It would connect to an abuse of human rights. Some entertainers even commit suicide for the result of witch-hunting in the way of revealing secret on the Internet. Because of these problems, discussion on ‘the right to be forgotten’ has progressed.

Viktor Mayer-Schoenberger, a professor at Oxford university, argues the necessity of permanent deletion of digital information in his writing, “Delete: The Virtue of Forgetting in the Digital Age (2009)[1]”. ‘The right to be forgotten’ started to receive attention with this book. The right to be forgotten is the right to exercise self-control over personal information online. The subject of information may demand deleting all online data about himself or herself and prevention of diffusion of data. Because the level of internet generalization is the highest level in the world and the problem from this has also highly increased in Korea, the legislation for the right to be forgotten is being actively discussed. An active discussion of the issue is in progress in every country. European countries in particular have actively discussed about the issue, and recently the right to be forgotten was enacted. European Commission announced ‘Proposal for a Data Protection Regulation’ in 2012.

In this report, first of all, we will look at some issue surrounding right to be forgotten. Secondarily, the legislations for right to be forgotten between EU and Korea will be compared. Then, finally, whether Korea have to legislate right to be forgotten or not and legislation directions will be considered.

 

. 4 Issues on the Right to be Forgotten

  1. Abuse of human rights

As mentioned above, at the age before popularization of the Internet, searching for information had limitations and injury from data was forgotten in process of time. Nevertheless, data can be stored permanently so that anyone can recall it with ease these days. Even ‘profiling’ is enabled by only searching data on the internet: it means analyzing someone’s data comprehensively for the purpose of obtaining their identity.

As a result of revealing someone’s private information or unwanted secret, the person who is directly involved in gets significantly injured both physically and emotionally. To prevent this kind of abuse of human rights, practical policy measures for remedy and legislation of right to be forgotten have to be prepared on the level of the government.[2]

 

  1. Conflict with the Freedom of Expression

It is hard to avoid the conflicts between the right to be forgotten and the freedom of expression(speech). The right to be forgotten could infringe on the freedom of speech and the right to know of the public by excessive deleting articles and press materials.

Moreover, the role of press fades away if the right to be forgotten is guaranteed unlimitedly. The main role of the press is the monitoring of the government and the authority. If news articles and data were easily eliminated by the rule of right to be forgotten, the magnitude of the external pressure on them would increase inevitably. Consequently, the press tends to be favorable to authority and capital. Another value of journalism is that articles are historical records. Simple elimination of articles means simple elimination of historical value.[3] To guarantee the right to be forgotten, a strict level of standard is essential.

 

  1. Technical Difficulties

First of all, the range of applying the right to be forgotten is obscure. The range of securing personal information could expand limitlessly because data is be collected, used, and stored from the level of direct information and communication service provider to the level of anonymous users who search or store data by using the Internet service. Accordingly, the obscurity of range makes it hard to delete all the data which is demanded by the person who is directly involved.

Even when the range is clearly fixed, technical problem remains. It is almost impossible to eliminate all the personal data from the wide world of the Internet. There is another possibility of duplication which cannot be deleted by the rule of the right to be forgotten. To figure out all the object which was linked or copied has difficulty in the present technology.

 

  1. Big Resistance of Global Enterprises

             Global enterprises resist against the legislation of right to be forgotten. For this reason, the United States cannot readily legalize right to be forgotten. Big global enterprises e.g. Google, Facebook or Yahoo, make an effort to collect personal information to provide a customized service and to attract advertisement. On that account, global enterprises express concern and opposition against the expansion of the application range of the right to be forgotten.[4]

Furthermore, it is inappropriate that enterprises take all responsibility for the problem because it is not a simple problem of the enterprise level, and enterprises are not the only stimuli. Also, technical limitation and problem of expense are too heavy for enterprises if they solely are to take charge. Proper distribution of responsibility between government and enterprises is needed. Not only compulsory measures but also a guideline on the government level has to be prepared to conduct the introduction of the right to be forgotten.

 

. Comparison of Legislations for the Right to be Forgotten in EU and Korea

  1. European Commission’s Proposal for General Data Protection Regulation[5]

(1) Article 4: Definition of ‘data subject’ and ’personal data’

The proposal for ‘Regulation of the European Parliament and of the Council’ on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)[6] determines the definition of ‘data subject’ and ‘personal data’ in Article 4. EU sets up the range of data protection with a wide scope. Regardless of the data provider, a data subject may demand the deletion of “any information relating to a data subject” :

 

Article 4 Definitions

For the purposes of this Regulation:

(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(2) ‘personal data’ means any information relating to a data subject;

 

(2) Article 17: The right to be forgotten and the right to erasure

Aritcle 17.1 states that:

the data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child.

This is simple provision of the right to be forgotten. The data subject has the right to delete personal data regardless whether the data is provided by the data subject or not

Article 17.2 gives a duty to the controller where the controller, referring to in paragraph 1, has made the personal data public. The controller:

shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

 

(3) Article 80: Exception to the Right to be forgotten and the right to erasure

However, in Article 17.3, possibility of limitation of right to be forgotten is stated alongside Article 80. “The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary for exercising the right of freedom of expression in accordance with Article 80” According to Article 80, “journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression” are exempted from the principle of the right to be forgotten.

 

Article 80 Processing of personal data and freedom of expression

  1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organizations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
  2. Each Member State shall notify to the Commission those provisions of its law which it has adopted pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment law or amendment affecting them.

 

(4) Article 79: A Compulsory Measure

Article 79 states administrative sanctions. According to Article 79 (c):

the supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17.

This is the highest level of rules of punishment in General Data Protection Regulation. The supervisory authority may impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, which are significantly strong regulations.

 

  1. Korean Law for the Right to be Forgotten

(1) Personal Information Protection Act

1) Article 36

The right to be forgotten is regulated in Article 36 and Article 37 of Personal Information Protection Act. Article 36 states that the data subject who read personal information may require the controller to correct or delete the information. The controller has to investigate the personal information, to take the necessary step to correct or delete the information and inform the result to the data subject without delay unless there is another measure to correct or delete the information by the legislation.

 

2) Article 37

According to Article 37 of Personal Information Protection Act, the data subject may require the controller to stop information processing. The controller has to stop processing all information or part of the information without delay. However, the controller may deny the demand of the data subject if: (a) there is a special regulation in law, (b) there is concern about hurting other people’s body, life or capital unjustly (c) if a public institution did not process the personal information, the public institution cannot conduct other business, and (d) if the controller did not process the personal information, the controller cannot provide services contracted with the data subject and the intent of data subject is unclear.

 

(2) Act on Promotion of Information and Communications Network Use and Information Protection

1) Article 30

Article 30 of Act on Promotion of Information and Communications Network Use and Information Protection also states that the data subject who read personal information may require the controller to correct or delete the information. The controller has to take the necessary step to correct or delete the information without delay. When the controller cannot correct the information, the controller has to notify the reason to the data subject without delay. Without these measures, the controller cannot use or provide the information involved in. However, with another requirement to provide the personal information according to the legislation, the controller may provide and use the personal information.

 

2) Article 44-2

Article 44-2 regulates the right to demand for deleting personal information. In case the information is provided for the purpose of public offering and this information hurts another one’s right like private life or honor, the victim may explain the fact and require the controller to delete or publish the content of retort. The controller has to take a necessary step to delete the information or a temporary measure and inform the result to the data subject without delay. In spite of the demand for deleting information, the controller may take a 30-day-long temporary measure in case it is hard to judge whether there is infringement of one’s rights or not or a conflict between the people directly involved in the case is expected.

 

  1. The Differences between Legislations for the Right to be Forgotten in EU and Korea

1) Range of Personal Information Protection

EU legalizes personal information comprehensively while Korea legalizes it limitedly. Personal information protected by the EU proposal is: (1) any information relating to a data subject can be identified, directly or indirectly; (2) with reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; and (3) used by the controller or by any other natural or legal person, in particular by data subject.

On the contrary, personal information protected by Korea is (1) the information involved in an infringement of private life in online or defamation. The personal information is only (2) used or stored by the controller. Korea narrowly guarantees the personal information.

 

(2) Duty of the Controller

Because the range of protection of General Data Protection Regulation is comprehensive, the range of the controller who takes the duty is also broad. The controller regulated by EU has to take every steps surrounding right to be forgotten: (1) the deletion the personal information without delay; (2) the notification toward the third person who process the personal information; and (3) taking proper measures including technological measures and paying for offering personal information to the third person. By contrast, the range of the controller who takes the duty in Korea is the business operator only. The controller has to take a simple step which is to delete the personal information of the website.[7]

 

. Conclusion

The necessity of securing the right to be forgotten is clear with the propagation of internet service and social network service. It is difficult to prevent an infringement of personal rights on the internet without guaranteeing right to be forgotten.

When we consider whether right to be forgotten is to be introduced or not, there are 4 issues that we have to adjust. First of all, revealing someone’s private information or unwanted secret is connected to both the physical and emotional injury of the data subject. To prevent this, practical policy measures for remedy and legislation of right to be forgotten have to be prepared. Secondarily, the right to be forgotten is highly probable to damage the freedom of speech. Thus, the range of the right to be forgotten has to get a limiting boundary, harmonizing itself with freedom of speech. The range of protected object also has to be restricted because of technical problems. On the level of current technology, perfect protection and deletion of information are impossible. A preparation and an amendment reflecting the limitation of technology level have to be considered before the progression of technology. Lastly, practical policy measures for remedy and legislation of right to be forgotten have to be performed at the government level. Global enterprises also have to take a big role in it, but their interests do not coincide with right to be forgotten. Therefore, government should have to secure the right to be forgotten by making policy measures or legislation.

European Union recently enacted right to be forgotten. ‘Proposal for a Data Protection Regulation’ in 2012 comprehensively protects personal data on the perspective of securing wide range of data protection object and measure of remedy. Compared to this, right to be forgotten in Korea is limitedly protected by ‘Personal Information Protection Act’ and ‘Act on Promotion of Information and Communications Network Use and Information Protection’.

To sum it up, right to be forgotten has to be introduced with limiting standard. Considering coordination with freedom of speech and the level of technological problem, comprehensive protection like EU would be risky. The range of data protection in Korean Law is too narrow in this stage. Reasonable and limited standard has to be created as the result of full discussion and consideration.

 

Referneces

∙ Viktor Mayer-Schoenberger, Delete: The Virtue of Forgetting in the Digital Age, Princeton University Press(2009)

∙ Jaejin Lee, Bongwon Koo, Toward the Proper Resolution of the Problems Caused by Unerasable Old News Articles on the Internet, Journal of Korean Broadcasting & Telecommunication Vol. 22-3(May 2008), pp. 172-212

∙ Eunbyul Go, Gwanghui Choe, Jaeil Lee, Implementing Differences of Right to be Forgotten Between EU and Korea – Comparative Analysis in the Perspective of Personal Information Protection, Journal of KIISE Vol. 30:10 (Oct. 2012), pp. 34-41

∙ JeongCheol Ha, A Thought on the Right to Be Forgotten Articulated in the European Commission’s Proposal for General Data Protection Regulation, Digital Policy & Management Studies Vol. 10:11 (Dec. 2012), pp. 87-92

∙ Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), available at http://eu.europa.eu/justice/data-protection

∙ Personal Information Protection Act art. 36 (S. KOR)

. Personal Information Protection Act art. 37 (S. KOR)

. Act on Promotion of Information and Communications Network Use and Information Protection art. 30 (S. KOR)

. Act on Promotion of Information and Communications Network Use and Information Protection art. 44-2 (S. KOR)

 

[1] Viktor Mayer-Schoenberger, Delete : The Virtue of Forgetting in the Digital Age, Princeton University Press(2009)

[2] ∙ Jaejin Lee, Bongwon Koo, Toward the Proper Resolution of the Problems Caused by Unerasable Old News Articles on the Internet, Journal of Korean Broadcasting & Telecommunication Vol. 22-3(May 2008), pp. 172-212

[3] ibid

[4] ∙ Eunbyul Go, Gwanghui Choe, Jaeil Lee, Implementing Differences of Right to be Forgotten Between EU and Korea – Comparative Analysis in the Perspective of Personal Information Protection, Journal of KIISE Vol. 30:10 (Oct. 2012), pp. 34-41

[5] JeongCheol Ha, A Thought on the Right to Be Forgotten Articulated in the European Commission’s Proposal for General Data Protection Regulation, Digital Policy & Management Studies Vol. 10:11 (Dec. 2012), pp. 87-92

[6] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), available at http://eu.europa.eu/justice/data-protection

[7] Supra note, 4

 

dolcesh@gmail.com

Posted in Spring 2014.