The right to be forgotten

Being acquitted was not the end of the nightmare. The moment it happened, though, it felt like a relief to Lawrence (a pseudonym to protect his identity). The trial had dragged on over a few tough years. The result was one he expected, but having it materialise was nevertheless emotional and cathartic – a burden off his shoulders.

Lawrence was eager to resume everyday life, but he works in an industry where people search for his name regularly. Unfortunately for him, a journalist was present during the opening statement, and subsequently an article was published online.
It took only a couple of months after the trial for someone to call asking to discuss something they had found. “It brought everything back to me,” Lawrence says. “Even though it ended, it will never go away.” Lawrence explained as best as he could that he had been acquitted, but alas, the damage had been done – and was now costing him his career.

His story is all too familiar to many Australians in the digital era. 

In the International Covenant on Civil and Political Rights, Article 14 entrenches the right to be presumed innocent until proven guilty by law. But what is on the internet remains forever decontextualised and easy to access. 

The article written about Lawrence did not include the verdict. If it did, it could have noted that the jury was quick to acquit Lawrence, and unanimous in doing so. Instead, the article remained out there with the accusation, and was never updated. “Nothing mentions I was found not guilty”, he says. “It’s almost captured in time like I’m just a man in limbo online.” 

Lawrence and his legal team asked for the news outlet to remove the story, but after getting no response, his only option lay in a lengthy and costly procedure to forcibly remove it. He could also request a follow-up article with the verdict, but even if the publication agreed – which they don’t have to – this could bring unwanted attention to his case.

“Regardless of going through the judicial system, being found not guilty unanimously and fairly quickly, I was going to have to live like a guilty man. It was going to affect my life, as long as that stuff was available online.”

Richard (also a pseudonym) has had a similar traumatic experience, but his case is slightly different. Over a decade ago, he was the subject of an investigation that deemed him guilty but never prosecuted him; he was never given a chance to clear his name and defend his innocence. 

“After that finding came out, very few of (the people in my professional network) knew the difference between being convicted through a commission and convicted through a court,” he tells the Journal. “Everybody thinks it’s the same thing.”

As a result, Richard also saw his professional career affected. He held an important executive role, and, by his estimation, his career was set back by 10 years. As a workaround, he changed his name and started rebuilding a new career in a different industry. But the paranoia cannot be easily shaken off. Richard hired a company that specialises in Search Engine Optimisation (SEO) to post articles about himself to try to drown out the original article with positive comments, as well as work to have it removed. But, as he astutely notes, there isn’t an incentive for online news outlets to remove or change pages if this can affect their SEO.

Every small interaction that most of us take for granted, like walking down the street or going to the supermarket, causes Lawrence slight paranoia. “If they’re looking, it [may be] because they’ve seen something online,” he says. “Is that why I’m getting that look?”

“My kids don’t know my real name”, Richard adds. “Because if one of their friends, or their parents, googled me – I don’t know why they would, but if they did – they could tease my kids or say, ‘your dad is not a good person’. If that ever happened to my kids, I would be devastated.”

Lawrence shares the uncertainty. “I do everything I can just to move on and get on with it. But I know it’s just lying dormant, waiting to pop up again at some point, professionally or socially,” he says. 

Richard concludes, “You have an ongoing burden that you’re forever carrying.”

Growing pains of the digital age

Management of personal information has become one of the most important topics of the digital age. Examples include the ability of businesses to store everyone’s information regardless of whether it’s still relevant to them or not. News outlets can also create their own database of people’s information. In analogue times, one article would be printed, and then archived by the time the next edition arrived. Nowadays, that archive is eternal, forever searchable and available to everyone, regardless of whether it is no longer relevant or the context changes.

To adapt the use of information in the modern age, in 2014 the European Union passed the General Data Protection Regulatison (GDPR). If you entered a website and saw a pop-up window telling you about the policies for the use of cookies (small bits of information your computer sends to a website), that’s because of GDPR – a series of regulations that websites have to operate under to keep, maintain, delete and manage their users’ information. The law includes the now famous Article 17, where a subject may request for his data and information to be removed from websites, including search engines – this is also known as the “right to be forgotten”. The goal, according to Article 1, is to “protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.

Australia has yet to develop a similar law, but the Federal Government, as part of its commitment to updating privacy laws in the digital era, requested consultation on and review of the Privacy Act 1988 (Cth). Following the inquiry by the Australian Consumer and Competition Commission into the effects of digital platforms, the Privacy Act Review Report flagged a series of vulnerabilities regarding people’s information that can lead to serious privacy breaches, “including recently in relation to several high-profile data breaches, exposing millions of Australians to privacy risks including identity fraud, reputational damage and blackmail.” 

The Report, it states, aligns Australia’s laws with the global standards on information privacy protection, including the standard set by the European Union. The GDPR is, in fact, mentioned as the model behind proposals to address individual rights, such as rights to object, to request erasure, and to have search results de-indexed. While exemptions are proposed to comply with public and legal interests, and with situations where it is technically impossible to fulfil the individual’s request, the Report suggests transparency requirements for when the use of personal information affects the lives of individuals. “Entities would need to provide information about types of personal information used in automated decisions-making [sic] systems and how such decisions are made,” the Report reads.

For Richard and Lawrence, a new law would make a difference. “Absolutely,” Richard says. “It would have a positive impact on my ability to participate in social institutions again.”

Lawrence goes further. “It would be a huge weight off my shoulders,” he says. “I spent enough time going through this. It was painful enough. It costs a lot of money. The whole process was intimidating and horrible. If nothing was tying me to that anymore? I could go on with my life.”

The right to erasure

In the early 2000s, the Spanish newspaper La Vanguardia, like every other newspaper, digitised its archived printed editions so they could be easily found by anyone, anywhere in the world. 

In 2009, financial adviser Mario Costeja González realised that googling his name would bring up an 11-year-old La Vanguardia piece that he believed could damage his reputation. In 1998, Costeja González was dealing with a large social security debt that forced him to sell one of his properties. La Vanguardia published an announcement of foreclosure auctions with the intent of attracting as many bidders as possible. In total, four lines were published in the 19 January edition and five lines on 9 March. 

The property was sold, and Costeja González resumed his career, leaving his financial woes behind. But on that fateful day in 2009, when he discovered that those two articles were the first to come up when googling his name, it left him concerned. The problem, he believes, was not much his current clients but his future ones. A search engine could easily dig up one part of his past he wouldn’t want to have taken out of context so quickly. 

“Clearly, when this was one of the first things that showed up on Google, it was damaging to my career as a financial adviser,” González explained to the online newspaper EUobserver. The situation was so alarming that Costeja González started to misspell his name on purpose on business cards – Costeza – so if people googled him, they wouldn’t find out about his past setbacks.

It wasn’t until Costeja González hired lawyer Joaquín Muñoz Rodriguez that something was done in the legal landscape. Muñoz had written a post on his personal blog precisely about how search engines were legally obliged, under Spanish law, to remove damaging information if so requested, including if the information was incomplete or outdated.

From that post, Muñoz received many enquiries about hiring his services, but it wasn’t until Costeja González contacted him that he decided to accept. He says, “His case contained three elements that led me to believe that we could win: the information was clearly out of date, it damaged his professional career, and it had been digitised long after it had ceased to be relevant.”

Requests to remove the article and the search result were promptly rejected by both La Vanguardia and Google Spain. Muñoz took the case to the Spanish Data Protection Agency (AEPD), which deliberated that, while the newspaper had no responsibility in the matter, it was reasonable for Google to remove the search results from its engine. Google consequently brought two separate actions against the decision to the Spanish High Court, relying on the fact that privacy laws in the European Union, of which Spain is a member state, were unclear. The search engine argued that Costeja González did not have the right to erasure of the lawfully published material.

The case ended up being referred to the Court of Justice of the European Union (CJEU) to clarify three questions:

1. whether the EU’s 1995 Data Protection Directive applied to Google and other search engines;
2. whether the Directive applied to Google Spain if the company’s data processing server resided outside of the EU’s jurisdictions;
3. and whether an individual has “the right to be forgotten”, that is, the right to request for one’s personal information to be removed from search engines.

On 13 May 2014, the CJEU ruled that EU data protection rules still apply to search engines, even if their services are outside the Union, finding that search engines are “controllers of personal data.” More importantly, the Court found that individuals have the right to ask for their personal information to be removed from search engines. 

There are some caveats here. The CJEU reiterates that this is only in “certain conditions”, clarifying that the “right to be forgotten is not absolute but will always have to be balanced against other fundamental rights, such as the freedom of expression.” In that matter, the CJEU calls for a case-by-case assessment that considers the type of information being removed and how it will affect the individual’s private life and the public interest. This legally solidified “the right to be forgotten” as a human right in the eyes of the European Union.

As a result, Google claims to have received more than 12,000 requests to remove links from its search results.

During the Google Spain v AEPD and Mario Costeja González trial, the EU was already moving to replace the 1995 Data Protection Directive, with a regulation at that stage being discussed in Parliament – the GDPR. The ruling did help set the “right to be forgotten” as Article 17 of the Regulation, but it would be replaced in the final draft by a more restricted “right to erasure”. On 14 April 2016, the European Parliament and Council of the European Union adopted the GDPR, and stated that companies would have two years to prepare for it before it came into effect in May 2018.

Within this new Regulation, a series of rights are explicitly etched to protect the individual, including a “right of access by the data subject”, and the right to rectify inaccurate personal data. In the final draft, the “right to erasure” stipulates that the data controller will need to erase, upon request, any personal information from the data subject under the right conditions. The article also shows five final exemptions to the request, including for exercising freedom of expression and information, for reasons of public interest, for archiving purposes, and “for the establishment, exercise or defence of legal claims”.

In the years that followed, the GDPR would become the foundation for similar laws in other parts of the world. Its critics argued the Regulation would be challenging and costly to implement, but 10 years after Google Spain v AEPD and Mario Costeja González, and five since the ruling was implemented, tech companies have learned to work with the law.

According to a Deloitte study six months after GDPR came into effect, consumers now had a more favourable opinion of companies collecting and storing personal data. At the same time, 92 per cent of the surveyed companies were confident of their ability to conform to the GDPR in the long term. Most interesting was the effect it was having on the rest of the world. The GDPR states that it applies only to collecting and presenting data within the European Economic Zone. Still, Deloitte notes how, six months after,  GDPR, companies in other jurisdictions were employing Data Protection Officers (DPOs), a requirement to ensure an organisation is aware of and trained on all GDPR regulations. In 2018, 74 per cent of organisations surveyed in Australia were already employing a DPO. 

In the subsequent years, multinationals that had to adapt their policies to the EU law influenced rulings in their jurisdiction. California passed the California Consumer Privacy Act in 2018. China enacted the Personal Information Protection Law in 2021, which includes its own variation of the “right to erasure”. So it is not surprising that Australia used the GDPR as the foundation for its proposed Review of the Privacy Act 1988 (Cth).

The right to be de-indexed

The “right to be forgotten” doesn’t actually involve any forgetting. The information is not deleted from the internet – that would be impossible to implement. David Lindsay, a professor at UTS Law School who has written extensively about privacy in the digital era, explains that this is the right to request search engines to de-index private information. 

The Privacy Act Review Report suggests the need, in proposal 18.5, to: 

1. “Introduce a right to de-index online search results containing personal information which is:
2. sensitive information …
3. information about a child 
4. excessively detailed …
5. inaccurate, out-of-date, incomplete, irrelevant, or misleading”.

It further notes that, “The search engine may refer a suitable request to the OAIC [Office of the Australian Information Commissioner] for a fee. The right should be jurisdictionally limited to Australia.”

European Union General Data Protection Regulation, Article 17.1

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

The Report’s proposal 18.6 is that exceptions should be added, similarly to in the GDPR, if it goes against the public interest to de-index the material, if this is inconsistent with another law or a contract with the individual, and if it is technically impossible to do so.

The Government response to the Privacy Act Review Report, published by Attorney General Mark Dreyfus, “agrees in principle” to most of the 116 proposals, including proposals 18.5 and 18.6. This means further stakeholder consultation will be needed before the changes are implemented. “The devil will always be in the detail,” says Lindsay. “There are a number of issues that need to be addressed about the scope.”

Implementing a new regulation several years after the European regulation means that Australia is able to analyse the positives and negatives of that experience. Before the GDPR, some expressed concern that regulating would be too costly for search engine operators, as well as that the Regulation would need to be balanced with other fundamental European rights, particularly the right to freedom of expression and the right to information. The sheer number of new complaints can only be resolved by a private entity, Lindsay observes. 

“It would just be too costly to go through the formal proceedings of a court to resolve these issues. It’s not a perfect solution because there can’t be a perfect solution,” he says.

But the positives outweigh the negatives, Lindsay believes. The internet has not ceased to function in Europe, and Google has not stopped operating. Many of the critics’ concerns have not materialised, and in contrast many have had their rights protected, from people like Costeja González to a teacher with a wrongful conviction struggling to find a new job. 

The Australian situation differs from the European in that in Europe, if something goes through the courts, the Union has the Charter of Fundamental Rights, which supplies the mechanisms for finding the right balance between all rights. Australia has no similar document, so the way that balance is struck needs to be established through legislation. Lindsay believes the current proposal has some limitations, for example in the sort of personal information that can form the basis of a complaint. 

The applicable types of personal information detailed in proposal 18.5 are all consistent with European law, “but there would need to be exceptions when the information is in the public interest,” he says. “And that’s a difficult balance. For example, if it’s information about a public figure, such as a politician, the balance differs. And how that balance is established through legislation has to be different in the Australian context because we don’t have a Bill of Rights.”

Lindsay is generally in favour of a change to the Privacy Act, but he’s quick to note how some details still have to be worked out. He points out how ideally there would be an independent system regulating everything, but the recommendation relies on private parties, such as search engine operators, to apply the law. As a backstop, he notes, the recommendation does state that, in more complex cases, search engine operators can, for a small fee, request a ruling from the OAIC.

Then there’s one of the most controversial issues in the original GDPR: the question of the jurisdiction rulings, which was debated in Google v CNIL, when the CJEU ruled that, under the “right to erasure”, search engines don’t have de-index results from all their domains – just the European domains. In the Australian case, the Report recommends applying a jurisdictional limit to the Country-Code Top Level Domain (ccTLD), ‘.au’ in the case of Australia; but then, the Journal asked Lindsay, what about companies that use a global CCTL (the domain ‘.com’), or companies that operate in Australia but don’t use the country’s ‘.au’ domain? 

“I think the best solution is to do something like the CNIL case, to say, in addition to being limited to .au,” Lindsay says, “there should be other measures to inhibit, or attempt to prevent, people in Australia from accessing other top-level domains, like geoblocking.”

Google has the technology to implement this, including geolocating. Lindsay observes it is not a radical proposal for “Australia to say to Google, you have these systems in place, so you can use the same for Australia.”

Right to privacy

Sean Conroy, CEO of Fileman, an information management company for lawyers, explains how the GDPR has enhanced privacy control, increased transparency by requiring companies to use collected data, and raised trust in consumers about providing their data to businesses. There are benefits to businesses as well. 

“It provides a uniform framework, making it easier for companies to understand and meet their obligations, and mitigates risk by forcing companies to take data protection seriously,” he says.

Conroy also highlights three challenges that have arisen from the GDPR: small and medium-sized businesses have found the implementation costly; some businesses have found enforcement inconsistent; and “some organisations find GDPR regulations complex and difficult to interpret, leading to unintentional non-compliance”. 

He adds, “While larger companies have been hit with significant fines, many argue that enforcement has been inconsistent, and some smaller companies have flown under the radar.”

The stated goal of the GDPR is to “safeguard personal data and uphold the privacy rights of anyone in the EU”. This allows individuals to have their data that was collected by other businesses erased under certain circumstances – for example, when it is no longer necessary for its intended purpose. This acknowledges how much the world has changed in the past 10 years, where a culture of unrestricted data collection has developed. For businesses, this is a way to help tailor their services more effectively, better project their brand to potential new clients and be ready to anticipate market trends. 

But there is also that other, darker, side.

In 2022, Medibank and Optus were targets of the most significant data breach attack in Australia, with the sensitive and personal data of more than nine million people exposed. We have seen a proliferation of data-driven business models, accompanied by technological progress in cyber warfare.

In the government’s Response to the Privacy Act Review Report, the data breaches are mentioned on the third line of the introduction, with the comment, “Strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.” 

In 2014, Australia added an amendment to the Privacy Act that included the 13 Australian Privacy Principles (APPs) to regulate standards and use of personal information, the rights of individuals to access their data, and the way the principles are enforced and held accountable. Jarrod Bayliss-McCulloch, Special Counsel for the IPTech group in global law firm Baker McKenzie’s Melbourne office, recalls how the introduction of the APPs changed the paradigm. He was involved in helping businesses adapt to this new reality that, he says, “although quite onerous, was generally proportionate to the prevailing risks in the broader environment while still giving organisations enough flexibility to tailor their personal information handling practices to their business models and the diverse needs of individuals.”

Questioned on whether Australia really needs a statutory “right to be forgotten” at this time, Bayliss-McCulloch raises an important question: “What is the problem we are trying to solve, and is the proposed solution effective and proportionate?”

He points, for example, to proposal 18.3. in the Privacy Act Review Report, which provides for an individual to contact an entity directly to erase their personal information. Bayliss-McCulloch sees the proposal as an effective way to give an individual more control over his personal information while incentivising businesses to improve retention and destruction practices. But, as he notes, the proposal may go beyond the intention, and he questions whether that is necessary and proportionate. 

“There are also questions regarding the appropriateness of the requirement to quarantine broad categories of information for potential future law enforcement purposes as contemplated under proposal 18.3(c) – without necessarily requiring a valid legal request from law enforcement,” he continues, “which is counter to data minimisation principles, seems to undermine the purpose of the right to erasure and may also be technically burdensome.”

On the question of cybersecurity, Bayliss-McCulloch highlights the importance of supporting Australian businesses and organisations in modernising and improving their cybersecurity practices. “Prevention is better than a cure”, he explains succinctly. The government acknowledges this in its Response by agreeing that the Privacy Act’s existing security obligations have to be enhanced while understanding the technical and organisational challenges that organisations face – the Response supports provision by the OAIC of enhanced guidelines on how businesses can keep personal information secure, as well as the proposed steps for destroying and de-identifying personal information. 

Bayliss-McCulloch also states the importance of increasing the incentives for taking preventive measures and using privacy preserving technologies, which include a reduction in compliance costs and reduced regulatory requirements for less identifiable information.

In relation to the right to erasure and de-indexing, Bayliss-McCulloch acknowledges the importance of the intent, expressed in the Government’s Response, to ensure that any right to be forgotten will be subject to a balancing exercise that takes into account important competing public interests such as freedom of expression. However, he notes that the proposal currently seems to indicate that companies would be primarily responsible for undertaking this “evaluative balancing exercise” in response to erasure or de-indexing requests. 

“These are not simple concepts, and resolving tensions between such important competing interests as personal privacy rights and the public interest in preserving legitimate freedom of expression tends to require complex analysis,” he concludes. “Is it realistic or appropriate to expect that an organisation will have the resources and expertise to effectively undertake such a complex and nuanced balancing exercise, particularly under pressure, to respond swiftly to individual information erasure requests, and, particularly in the de-indexing context, if the organisation that received the request is not the organisation that produced the content in the first place? So there is a real challenge in what is being proposed here.”

He continues, “if a right to de-index or right to be forgotten is introduced, flexibility and simplicity (and, to the extent practicable, consistency with international benchmarks) will be key to ensuring that organisations can respond decisively to requests, and in practice, the focus should be on mitigating harm to the individual to the extent practicable without compromising important other rights like legitimate freedom of expression.”

Many businesses have already started changing their practices, in many cases to comply with GDPR. Hamish Fraser, partner at Bird & Bird, notes how many of its clients already deal with GDPR, so the only concern now is how different protocols will be in Australia from those in other countries. “Most businesses are now global, and the big tech businesses are aware of their obligations in Europe,” he states, underlining how some are unsure of how different from the rest of the world the Australia case will end up being. “It’s wasteful [in terms of] resources to retune everything you do for different jurisdictions.”

Fraser also calls for further details that the Report and the Government Response currently do not provide. He is realistic that businesses that have not been compliant with GDPR will struggle – it was an imposition in Europe that reshaped the way they conducted business. He says, “Our data protection team in the UK went from a couple of people in the corner to one of the biggest practice groups in the firm.”

Fraser says his team has started discussing how they will respond to the legislation. “We have to map it against GDPR, try and develop a guide that talks about what you have to do differently.”

This is what Fraser calls “the biggest private revolution in Australia in a generation.”

Dreyfus has expressed interest in passing the legislation this Parliament term, but for now, he will continue the consultation with businesses and media organisations to flesh out the details and limitations on the rights. There is vested interest in protecting the rights to privacy of Australians and ensuring their lives are not affected by this era of free-flowing digital information. In the opening ceremony to the 2012 London Olympic Games, the whole audience was spotlighted with the words “This is for Everyone” to symbolise the work of Sir Tim Berners-Lee, the inventor of the World Wide Web. In that perfect world, back in 1989, Berners-Lee saw the opportunity to connect the planet and decentralise information – just as Gutenberg did with his invention of the printing press and use of it to translate and distribute the Bible. But Berners-Lee also saw his invention misused against the people it was supposed to benefit. In a 2018 Vanity Fair profile, he aired his grievances and disappointment that the tool created to break barriers was being used to spy on and exploit the same people it was supposed to empower. 

Is GDPR the solution to a fairer digital world, a world where information at the tip of our fingers cannot be weaponised? No first steppingstone is perfect, but an initiative like this is a way to pave the right path. Protecting law-abiding citizens from information being used against them is a worthy cause – as long as it doesn’t encroach on those other rights we believe in and take for granted.