November 8, 2023
In the modern world, information of all forms, including personal data, is a valuable resource that is beginning to show its true worth. In order to protect ordinary people from personal data infringement, many countries in the world have enacted legislation stipulating the rights of the data subject. Among many such rights, there is one that is often overlooked – the right to be forgotten.
The right to be forgotten refers to the right of the data subject to the erasure of their information. As the information belongs to the data subject, it is understandable how the subject should have the right to erase/request the erasure of it. The right to be forgotten could be considered one of the basic rights of data subjects alongside other rights such as the right to be informed, right to access and right to right to rectification, etc.
The EU is the forerunner in the race toward effective data protection. This is evident by the existence of the General Data Protection Regulations (“GDPR” for short) – the first comprehensive data protection regulations. GDPR was introduced in 2016 and went into effect in 2018 and since then, it has been considered the “gold standard” of personal data protection around the world.
The right to be forgotten is stipulated in Article 17 of GDPR in which the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where certain grounds apply, including cases where the data subject withdraws his/her consent to data processing; the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject objects to the processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation; data has been collected in relation to the offer of information society services. Article 17.2 of GDPR also stipulates in cases where erasure is requested if the data was disclosed, the controller who originally disclosed the personal data shall have to inform controllers who are in control of the data that the data subject requested the erasure of their data. Furthermore, when the data is erased, the data controller also has to inform all recipients of the data of such erasure. These regulations serve to protect personal information that has gone through multiple controllers and protect the data subjects by placing the burden of erasing second-hand data on the original controller rather than having the data subjects find and request each individual controller to erasure the data[1].
The controller, therefore, is both automatically subject to statutory erasure obligations and also has to comply with the data subjects’ requests for erasure. However, there are exceptions where the right to erasure shall not apply as in cases where the processing is necessary to exercise the right to freedom of information, for reasons of public interests, legal compliance, etc.
The right to be forgotten in the GDPR is rather comprehensive and gives the data subject the right to request the data controller to erase their information but it also presents cases where such rights cannot be exercised with emphasis on public interests. This shows that the EU supports the right to be forgotten and values personal privacy, however, with this regulation, it also acknowledges that the right is not absolute and needs to be balanced with other rights.
Furthermore, the right to be forgotten in the EU also includes the right to be delisted which was first established in May 2014 in the case “Google Spain v AEPD and Mario Costeja González”. In 2010, a Spanish citizen – Mario Costeja Gonzalez filed a claim against a newspaper at the Spanish Authority for Personal Data Protection. The complaint was regarding how all searches on Google of his name resulted in specific 2 article of the newspaper about him. Mario argued that the information about him in the articles was obsolete and requested that the newspaper erase his name from the articles and Google remove his personal data from searches of his name. The Spanish Data Protection Authority dismissed the claim against the newspaper, but approved the claim against Google[2]. In the end, the European Court of Justice decided that EU Directive 95/46/EC of October 24th, 1995 on the protection of individuals with regard to the processing of personal data and on the free circulation of such data gave individuals the right to ask search engines to delist certain results for searches related to a person’s name. This means that any person has the right to request search engines the removal of links to freely accessible web pages resulting from the search of their name[3]. This was a landmark case that paved the way for the codification of the right to be forgotten.
When considering what to delist, search engines must examine whether the information is “inaccurate, inadequate, irrelevant or excessive,” or whether there is a public interest in the information remaining available in search results[4].
In other countries, the right to be delisted has also been established. In July 2015, Russia passed a law allowing citizens to delist links from Russian search engines if it “violates Russian laws or if the information is false or has become obsolete”. Turkey and Servia have also enacted similar regulations[5]. This goes to show just how prevalent the right to be forgotten has become in the digital age.
Many other data protection regulations that came after GDPR took heavy inspiration from it such as the Personal Information Protection Law (“PIPL” for short) issued by the Chinese government and recently went into effect in 2021. PIPL also includes a provision regarding the right to erasure in Article 47 which states that: Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative; if the personal information processor has not deleted it, the individual concerned shall have the right to request deletion: (I) where the purpose of processing has been achieved, unable to achieve, or is no longer necessary to achieve; (II) where the personal information processor stops providing products or services, or the agreed storage period has expired; (III) where the individual withdraws his/her consent; (IV) where the personal information processor processes personal information in violation of laws, administrative regulations, or the agreement; or (V) any other circumstance as prescribed by laws and administrative regulations.
We can see that the right to erasure in PIPL is, for the most part, similar to that in GDPR. However, there is one caveat to this right, if the statutory storage period under applicable laws and regulations has not expired or if it is technically unfeasible to delete the personal information, the data processor shall stop processing activities other than storage and apply necessary security measures. This shows that there are limitations to the right to erasure in PIPL as well, with the right having to comply with legal regulations on storage periods in other laws and regulations.
Currently, Vietnam’s legislation on personal data protection is very much bare-bone with bits of data-related regulations scattered in various legal documents spanning many years.
One of the earliest instances where the right to be forgotten is mentioned is in Article 22.1 of the 2006 Law on Information Technology which states: “Individuals have the right to request organizations, individuals processing their personal information on cyberspace to examine, rectify or cancel such information”. This shows that the Vietnamese government has been aware of the importance of personal data since the beginning of the 21st century. However, since then, the attention has mostly been focused on cyber information.
More recently, Article 18 of the 2015 Cyberinformation Security Law stipulates that: “Data subjects may request personal data processing organizations and individuals to update, alter or cancel their personal information collected or stored by the latter or to stop providing such personal information to a third party” and that “Personal data processing organizations and individuals shall delete the stored personal information when they have accomplished their purposes or if the storage time has expired and notify to data subjects, unless otherwise prescribed by law”. While these regulations do expand upon the right to be forgotten, the scope of the law itself only extends to cyberinformation and neglects other forms of data storage. While cyber information makes up the overwhelming majority of personal data in the modern world, data stored in other forms still holds significance. Also, if regulations tighten controls over cyber information, violators could turn to other forms of data to escape that control. As such, it is necessary to impose general, comprehensive regulations that expand upon the right to be forgotten and apply to all forms of personal data.
In 2021, the Ministry of Public Security presented the Government with the Draft Decree on Personal Data Protection which provides more concrete definitions, rights of data subjects such as right to be informed, right to withdraw consent, and the obligations of data processor. This will allow all personal information, regardless of form, to be protected. Regarding the right to be forgotten specifically, the personal data processor must stop storing and erase personal data in the following cases: a) The data is not being processed for the purposes registered or informed to the data subjects; b) The continued storage of the data is no longer necessary for the activities of the Personal Data Processor; c) 20 years have passed since the death of the data subjects, except if the data subjects agreed otherwise.
With the upcoming Draft Decree on Personal Information Protection, it is appropriate that we examine how the right to be forgotten should be integrated into the Vietnamese legal system.
Firstly, the scope of cases where the right to be forgotten is automatically invoked should be expanded to cover more grounds. Data subjects should have the right to request the erasure of their information but at the same time, the data processors should also have the obligation to erase personal data in certain circumstances. The reason is that most data subjects are individuals and therefore not well-versed in the legal ins and outs, as such, they normally would not have the ability or capacity to track their data and exercise their rights. It is important that legislators see that this is not just a right of the data subjects but also an obligation of the data processors.
Secondly, we must recognize that the right to erasure is not absolute and must be subject to its circumstances. The data subject should not have the right to erase their personal data in all cases. The purpose of the right to be forgotten is to ensure that data is process for the right purposes, accurate and stays updated. There must be exceptions where data should not be erased such as for the benefits of the general public, for freedom of expression or for legal compliance. For example, the Covid-19 pandemic is a great example of how the right to be forgotten is not absolute. Identifying those infected with Covid-19 is necessary to combat the pandemic. In this case, Covid-19 patients should not be able to request their personal data be erased from the public records since it would be detrimental to the efforts against the pandemic and affect the country as a whole.
Finally, Vietnam should take note of the EU and include the right to be delisted as a part of the right to be forgotten. Delisting is not the erasure of the information, it only erases the results of some searches. In some cases where the erasure of the information might not be ideal, delisting could be an alternative method to balance out the interests of the involved parties.
In all, the right to be forgotten is a fundamental right in the field of personal data protection. However, it is not absolute. It is the job of the legislators to balance the right to be forgotten with the interests of other concerned parties in order to bring about a healthy data environment.
PrivacyCompliance
[1] GDPR art 19.
[2] https://www.homodigitalis.gr/en/posts/2900
[3] https://www.conseil-etat.fr/en/news/right-to-be-delisted
[4] https://support.google.com/legal/answer/10769224?hl=en
[5] https://support.google.com/legal/answer/10769224?hl=en
Territorial Scope of GDPR In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation […]
Learn more
Independent Supervisory Authorities Under GDPR The EU’s General Data Protection Regulation (“GDPR”) is an incredibly useful framework to protect personal data. However, all rules are only as good as our ability to enforce them, a legal framework alone cannot protect personal data. As such, independent enforcement agencies are required to put the regulations into practice. […]
Learn more
E-Privacy Directive The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the […]
Learn more