The Right to Be Forgotten

November 2021 İdil Uz
% 0

Introduction

The right to be forgotten is not regulated directly under Turkish law, but finds an area of ??application indirectly with legal regulations, guidelines and judicial decisions. This issue has started to come up frequently in Turkey, as well as in the rest of the world, due to the increasing importance of the protection of personal data and the development of the endless virtual memory of the internet.

Since personal data discloses the identity of an individual, makes it easier for them to be recognized and be remembered, and because the disclosure of certain facts could lead to discrimination, the protection of personal data is a fundamental right. For this reason, detailed legal regulations have been introduced all over the world in order to prevent unlawful access to this data and to ensure the privacy of the individual. On the other hand, one of the most important factors preventing privacy is the internet. Although the fact that the internet can carry information to every part of the world without distinguishing between time, place and person fundamentally supports rights such as the right to information, freedom of expression, freedom of press, and communication, it also poses a threat to an individual’s privacy, the protection and development of their spiritual existence, and the protection of their personal data. In this context, although the right to be forgotten has been needed for a long time, it is a relatively new right and the influence of the internet has a great place in the formation of this right.

This article will discuss the emergence of the concept of the right to be forgotten and its application around the world, as well as the relevant Turkish judicial decisions, regulations, and administrative decisions and guidelines.

The Right to Be Forgotten as a New Fundamental Right

The right to be forgotten can basically be summarized as the right to demand the deletion of the personal data of the individual and, in this way, to demand that the connection between a situation and the individual be prevented. However, due to its historical development, this right is mostly associated with the results obtained in search engines on the internet, and it is defined as the right of the individual to request that an outdated or unfavorable fact on the internet about them not be listed in search engines. This is also referred to as “delisting” or the “right to de-referencing.”[1]

The birth of the concepts of privacy and personal data protection, and their adoption all over the world, are based on the European Convention on Human Rights and Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (“Directive 95/46/EC”) in the European Union. Under these regulations, the process, collection, correction and deletion of personal data is subject to the existence of certain conditions, and the individual has a right to have their data deleted if the conditions stated in Directive 95/46/EC exist. The right to the erasure of personal data regulated by Directive 95/46/EC is expressed as the "right to be forgotten" in the Costeja Gonza´lez v. Google Inc, Google Spain decision[2] of the Court of Justice of the European Union ("ECJ"), which laid the foundations of the right to be forgotten. This decision is considered to be a major step in the development of the concept of the right to be forgotten.[3]

In the event that led to the decision in question, a Spanish citizen named Costeja González filed a complaint before the Spanish Data Protection Authority about La Vanguardia newspaper, Google Spain and Google Inc. According to Costeja González, when he typed his name into Google, one of the first results was an article in La Vanguardia about him having to sell his property many years before due to his social security debts. In his complaint, González requested that La Vanguardia either remove the article in question or arrange it so that his personal data could not be seen, and asked Google Spain or Google Inc. to ensure that personal data concerning him was not listed in the search results, on the grounds that the proceedings against him had been completely concluded years earlier and that any references to them were unwarranted and irrelevant.[4]

 The Spanish Data Protection Authority rejected the complaint about the newspaper on the grounds that was obligatory, under national legislation, to announce the relevant information about the applicant, and that many people had an interest in accessing this information. On the other hand, with the decision, it was ruled Google to remove the relevant links, on the grounds that search engine operators are subject to data protection legislation as data controllers. Upon the appeal of this decision by Google, the Spanish National Court of Cassation also took the case to the ECJ for its opinion on the matter. In its decision, the ECJ stated that the personal data and the results listed in the search engine that were "invalid, incomplete, completely irrelevant or subsequently irrelevant" should be deleted, and held that the right to privacy is more important than the economic interest of the search engine and the right of the public to access information.

The right to be forgotten, embodied after this decision, is framed by 13 recommended criteria set by the Working Group, which was established as an independent advisory board on data protection and privacy in accordance with Article 29 of Directive 95/46/EC and the European Union General Data Protection Regulation (GDPR), which came into force by repealing Directive 95/46/EC. After this regulation, the concepts of personal data and the right to be forgotten began to be discussed in many countries, including the United States.

In addition, the decision of the ECJ paved the way for important steps to be taken in practice and enabled the search engines to start evaluating the requests for the right to be forgotten. In its transparency report,[5] Google includes enlightening information on the requests for removal from the list from the decision of the ECJ until the present, their categories of the relevant websites, the criteria used in the evaluation of the requests for removal from the list, examples of removal requests, and the reasons for the decisions made in accordance with the requests.

The Right to Be Forgotten under Turkish Law

Although it was stated by the Court of Cassation[6] that the right to be forgotten is a universal right, due to the fact that European Union regulations and the ECJ decision only cover European Union countries, the protection and use of the right to be forgotten in Turkey requires regulations in this direction.

The right to be forgotten can be based on constitutional rights such as the right of the individual to freely develop their material and spiritual existence (the Constitution of Turkey art.17)the right to privacy and the protection of personal data (the Constitution of Turkey art.20), and the right not to be compelled to express thoughts and opinions (the Constitution of Turkey art.25). However, it is not regulated directly under either Law No. 6698 on the Protection of Personal Data (“PDPL”), which was prepared on the basis of Directive 95/46/EC, nor under Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publications (“Law No. 5651”).

Article 11/1,e of the PDPL and article 12 of the Regulation on Deletion, Destruction and Anonymization of Personal Data (“Destruction Regulation”) could be seen as a legal basis for the implementation of the right to be forgotten. Pursuant to article 11/1,e of the PDPL, each person has the right to apply to the controller and to request the erasure or destruction of their personal data. In addition, in order for this right to be exercised, it is required that all data processing conditions have been disappeared (Art. 7/1 of the PDPL, Art. 12 of the Destruction Regulation). On the other hand, the right to be forgotten is indirectly mentioned in the amendments introduced in Law No. 5651 with Law No. 7253[7] published in the Official Gazette dated 31 July 2020. Pursuant to article 9/10 of Law No. 5651, if requested by those whose personal rights have been violated due to the content of the publications on the internet, the judge may decide not to associate the applicant"s name with a particular internet address.

The aforementioned regulations are highly criticized since they are not directly compatible with the right to be forgotten and stipulate various exceptions and conditions. However, although it is not directly regulated, it is clearly stated in judicial decisions, the decisions of the Personal Data Protection Board (“PDP Board”) and the published guidelines that the right to be forgotten is a right that can be requested in Turkey as well.

The decision numbered 2014/4-56 E., 2015/1679 K. and dated 17.06.2015 of the Court of Cassation Assembly of Civil Chambers states that the right to be forgotten and the storage or retention of personal data to the extent necessary and for the shortest period of time actually constitute the framework of the right to protect personal data, and the basis of both rights lies in ensuring that the individual can freely dispose of his/her personal data, plan for the future without being hindered by the past, and prevent the use of personal data against the person. Subsequently, the Court emphasized that with the right to be forgotten, it is ensured that the future of the person is prevented from being negatively affected by her own will or due to an event caused by a third person and that the individual"s ability to shape his/her future by getting rid of the negative effects of their past is not only for the benefit of the individual, but also its effect on the improvement of the quality of the society is indisputable. The right to be forgotten is expressed as the right to request that the negative events in the digital memory be forgotten after a while and the deletion and prevention of the dissemination of personal data that they do not want others to know unless there is a superior public interest. The Court of Cassation defines the definition of the right to be forgotten by indicating that the right to be forgotten not only provides the person with the right to "control the past," or "the right to request that certain issues be erased from their history and not to be remembered," but, in addition, it imposes an obligation on third parties not to use some information about the person, or to take measures to prevent third parties from remembering it. Furthermore, although the right to be forgotten is thought to be regulated for digital data, considering the characteristics of this right and its relationship with human rights, the Court of Cassation states that it should be accepted not only for personal data in the digital environment, but also for personal data kept in a place where it can easily be accessed by the public.

In addition to the approach of the Court of Cassation to the right to be forgotten, the decisions of the Constitutional Court in this direction are also noteworthy. In its decision on the Application of N.B.B. dated 03/03/2016 and numbered 2013/5653, which is considered to be one of the most important decisions of the Constitutional Court on this issue, the Court stated that today, when it is difficult to be forgotten with internet journalism, it is possible to re-establish the balance by accepting the right of an individual to be forgotten for the sake of their of honor and reputation. It also emphasized that the state has a responsibility to give the individual the opportunity to “turn a new page” by preventing others from learning about their past experiences, and the right to be forgotten is a result of the positive obligation of the state in terms of providing an opportunity for individuals to develop their spiritual existence. The Court clarified the criteria that should be evaluated in terms of the right to be forgotten and stated that they should be examined in terms of each concrete event. Accordingly, in order for internet news to be removed from the internet within the scope of the right to be forgotten, the content of the publication, its duration, whether it is just out of date or whether it is accepted as being historical information, its contribution to the public interest (the value of the news in terms of society, the quality of the news that sheds light on the future), whether the person who is the subject of the news is a politician or a celebrity, issues such as the subject of the news or article, whether the news contains facts or value judgments, and the public"s interest in the relevant data shall be examined.

In addition to judicial decisions, the PDP Board emphasizes the importance of this right by publishing decisions and guidelines that address the right to be forgotten. The PDP Board referred to the right to be forgotten in its decision[8] on requests for the removal of the names and surnames of individuals and the results of searches made through search engines from the index. They also explained the criteria to be taken into account during the examination of these requests. Accordingly, during the evaluation, criteria such as whether the person concerned plays an important role in public life, whether the subject of the search is a child, whether the content of the information is correct, whether the information is related to the person"s working life, whether it is defamatory, and whether it contains sensitive personal data shall be examined. Finally, the PDP Board has published a booklet named Evaluation of the Right to be Forgotten Specific to Search Engines, in order to guide practitioners working in this area.[9]

[1] Kaya, Mehmet Bedii: Right to Be Forgotten; https://www.mbkaya.com/hukuk/unutulmahakki.pdf Access Date: November 2021

[2] ECJ, the Court of Justice of the European Union, The decision numbered K.131/12 and dated 13/05/2014 https://curia.europa.eu/juris/document/document.jsf?docid=152065&doclang=en Access Date: November 2021

[3] Elmalıca, Hasan: The Right to Be Forgotten as a Fundamental Human Right Revealed by the Information Age. Ankara Uni. Law Faculty Journal, 65 (4) 2016: 1603-1636

[4] Nalbantoğlu, Seray: The Right to Be Forgotten as a Fundamental Right. the Turkish Justice Academy Journal, Year:9, No:35 (July 2018)

[5] Google Transparency Report https://transparencyreport.google.com/eu-privacy/overview?hl=en Access Date: November 2021

[6] “The right to be forgotten is among the universal rights of individuals.” The decision numbered 2016/927 E. 2016/3874 K. of 16th Panel Chamber of the Court of Cassation

[7] Law No. 7253 on the Amendment to the Law on the Regulation of Publications on the Internet and Combating Crimes Committed through Such Publication, which entered in force through publication in the Official Gazette dated 31.07.2020 and numbered 31202

[8] The decision dated 23/06/2020 and numbered 2020/481 of the Personal Data Protection Board

[9]The Right to be Forgotten (Evaluation of the Right to be Forgotten Specific to Search Engines) https://kvkk.gov.tr/SharedFolderServer/CMSFiles/11b6fd99-d42a-45b1-a009-21f2d36ded21.pdf Access Date: November 2021

All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

Artificial Intelligence Act Adopted by the European Parliament
Newsletter Articles
Artificial Intelligence Act Adopted by the European Parliament

The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...

Personal Data Protection 31.07.2023
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation
Newsletter Articles
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation

In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...

Personal Data Protection 31.05.2023
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation
Newsletter Articles
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation

ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...

Personal Data Protection 30.04.2023
A Comparative Approach to Joint Controllers
Newsletter Articles
A Comparative Approach to Joint Controllers

The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...

Personal Data Protection 31.03.2023
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force
Newsletter Articles
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force

The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...

Personal Data Protection 31.01.2023
Smartwatch Privacy: A Beginner’s Guide
Newsletter Articles
Smartwatch Privacy: A Beginner’s Guide

Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...

Personal Data Protection 31.01.2023
An Examination of Loyalty Programs Under Personal Data Protection Legislation
Newsletter Articles
An Examination of Loyalty Programs Under Personal Data Protection Legislation

The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...

Personal Data Protection 30.11.2022
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?
Newsletter Articles
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?

The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...

Personal Data Protection 31.10.2022
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority
Newsletter Articles
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority

Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...

Personal Data Protection 30.09.2022
GDPR and Mass Claims
Newsletter Articles
GDPR and Mass Claims

The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...

Personal Data Protection 31.08.2022
Briefing for the Impact Assessment of the Data Act Has Been Published
Newsletter Articles
Briefing for the Impact Assessment of the Data Act Has Been Published

In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...

Personal Data Protection 31.07.2022
The Regulation on Protection and Processing of Personal Data by the Social Security Institution
Newsletter Articles
The Regulation on Protection and Processing of Personal Data by the Social Security Institution

The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...

Personal Data Protection February 2022
A New Era: The Personal Information Protection Law of the People’s Republic of China
Newsletter Articles
A New Era: The Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...

Personal Data Protection February 2022
All Eyes of the Data Protection Authorities are on Cookies!
Newsletter Articles
All Eyes of the Data Protection Authorities are on Cookies!

In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...

Personal Data Protection January 2022
A Groundbreaking Whatsapp Decision by the Irish Supervisory Authority
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Personal Data Protection September 2019
The General Data Protection Regulation in Force
Newsletter Articles
The General Data Protection Regulation in Force
Personal Data Protection May 2018
Destruction of Personal Data
Newsletter Articles
Destruction of Personal Data
Personal Data Protection November 2017
The EU General Data Protection Regulation and Its Territorial Scope
Newsletter Articles

For creative legal solutions, please contact us.