GDPR: Right to be Forgotten

Jan mentioned that data controllers have to ensure "every instance of their personal data is eliminated across all platforms". I believe that is a bit of an overstatement. I would have probably worded it as "every instance of their personal data where processing is authorized by the controller is eliminated". I don't think the original version meant to cover instances where the data has been processed by others who have not been authorized and do not have any contractual relationship with the controller. I think such a scenario would be possible in real life. In the Google Spain case, La Vanguardia Ediciones SL processed and published Mr González's personal data under the journalistic exemption [1]. Google Spain indexed that page without informing La Vanguardia. This constitutes data processing according to the judgment [2]. I believe it is safe to say that Google Spain has never been authorized by La Vanguardia to process personal data and it would be too onerous to expect La Vanguardia to chase down and enforce the data subject's request on companies which they may not even know may be processing the data subject's data, let alone even have a contractual relationship with. Furthermore, there may also be web services which aggregate or summarise data from multiple sources. How would you determine if that data originally came from La Vanguardia or some other media outlet that also reported on the case.

Would the practical effect have differed? I don't believe so. The crux lies in the statement "shall be considered responsible for that publication". Jan's position is that responsibility includes both 'informing' and 'enforcing' the data subject's request. "Responsibility" as defined in Recital 74 states that "appropriate and effective measures" have to be taken "to demonstrate compliance" [3]. What would be considered appropriate? I believe that the controller should have a contractual clause indicating that the third party must comply with requests from the controller to remove personal data on request. The controller should ensure third party has appropriate processes that are certified and audited before entrusting the third party with the processing. In my opinion, these are the appropriate measures and would have sufficed under the controller's responsibility even in the original version. I don't think the original version meant to go as far as to include "enforcement". The third party is an independent party that cannot be compelled to perform an act. Holding a controller responsible for the actus reus committed by a third party even after the controller has taken appropriate safeguards is a bit far fetched in my opinion. Therefore I believe the practical effect might not have differ much, the current version was revised to bring greater clarity by using the term "reasonable steps". The original version would have discharged the controller of liability as long as similar "reasonable steps" were taken.

On a side note, reading through the Google Spain case brought up something I chanced upon some years ago. In the Google Spain case, Mr González wanted embarrassing financial information (recovery of social security debts)about him no longer searchable as it had been fully resolved and was outdated information. The UK government has been publishing similar embarrassing financial information about insolvent individuals since 1703. Patrick Dennis Ellis Trueman, Unemployed, born 29/11/1962, residing at 1 StonebridgeLane, Great Houghton, Barnsley, South Yorkshire S72 0BY was declared bankrupt on 16/03/2009 [4][5]. The gazette also provides a search bar similar to Google which allows anyone to search any names to reveal past embarrassing financial information about a person. Unfortunately for Patrick, his embarrassing financial information happened to be a matter of public record and so will probably remain searchable for the next 300 years.

[1] Case C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014], Para 85

[2] Case C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014], Para 41

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1, Recital 74

[4] His Majesty's Stationery Office, 'Patrick Trueman | Bankruptcy Orders | The Gazette' accessed 10 November 2023.

[4] His Majesty's Stationery Office, 'Patrick Trueman | Notice of Dividends' accessed 10 November 2023.