A recent judgment in the EU deals with the concept of the right to be forgotten. This right is exercised by an individual when he or she requires that information, otherwise in the public domain, must be removed or, at least, a link to that information must be disabled in order to render the information less publically accessible.
The judgment in Google Spain, Google v Agencia Española de Protección de Datos, Mario Costeja González C-131/12 provides for interesting reading in so far as the rights of users of social media are concerned and those of us generally who may experience, or have experienced, the consequences of embarrassing information publically accessible on the internet or social media sites.
“An internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties.
“Thus, if, following a search made on the basis of a person’s name, the list of results displays a link to a web page which contains information on the person in question, that data subject may approach the operator directly and, where the operator does not grant his request, bring the matter before the competent authorities in order to obtain, under certain conditions, [for] the removal of that link from the list of results.”
In the information age, the question arises as to the response by South African law to the right to be forgotten, more particularly, in the face of the impending Protection of Personal Information Act No 4 of 2013 or POPIA.
POPIA does not mention expressly the right to be forgotten. However, it contains a number of information principles, to which it refers as the “conditions for lawful processing of personal information”.
Among the rights that one enjoys as a data subject, which is the term POPIA uses to describe people about whom information is processed, are included the requirement that information that is kept about an individual must be “complete, accurate, not misleading and updated where necessary” and that the data subject is entitled to participate in the processing of his or her information.
While POPIA is not yet in force, as we await a date for it to become effective to be published by the president, the consequences of how data subjects are entitled to participate in the processing of information about them must be understood in order for people processing information or “responsible parties” to do so lawfully.
The right to be forgotten lies in the principles set out in Condition 8, more particularly, those principles that allow data subjects to require a responsible party to delete or destroy that information. However, the process is one that is complex and should be understood clearly by both data subjects and responsible parties.
In terms of section 23(1) of POPIA, a data subject is entitled to require a responsible party to confirm, without charge, “whether or not the responsible party holds personal information about the data subject”. In addition, the data subject may request a copy of the information held about him or her from the responsible party and for the responsible party to identify any third parties who may have access to that information.
The response by the responsible party must contain certain prescribed information and a right is afforded to the responsible party to refuse the request by the data subject. The refusal of any request for information must be dealt with pursuant to the provisions of legislation dealing with access to information.
The rights afforded to responsible parties, more particularly, the right to refuse a request for access may conflict with the rights in section 24 of POPIA, which allows a data subject to require a responsible party to correct personal information.
This is where South African law aligns itself with the European position as set out in the González judgment. Section 24 affords a data subject the right to send a request to a responsible party, which request must be in a prescribed format, set out in regulations to be published, requiring the responsible party to:
- Correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
- Destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.
While it may appear to be a comprehensive right afforded to a data subject to have information about him or her removed or deleted by a responsible party, the right is not as broad as initially conceived.
On closer examination, the right to be forgotten in South African law is only applicable where information, which is being held by the responsible party, is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been obtained unlawfully.
The right to be forgotten is simply not available to remove embarrassing, disconcerting or unpleasant information. Therefore, a data subject will have to motivate why information that he or she requires to be deleted bears one or more of the characteristics referred to in section 24(1)(a) of POPIA.
The destruction or deletion of information is also peculiarly confined to the application of section 14 of POPIA, which imposes certain restrictions on the retention and keeping of records.
Section 14, in turn, allows a responsible party to retain certain information where it is required or authorised by law to do so, or the responsible party requires the record:
- For lawful purposes “related to its functions or activities”;
- In the view that the information must be retained in terms of contractual obligations; or
- Has the consent of the data subject in respect of the retention of the information concerned.
The right to be forgotten is carefully proscribed in South African law and is not enjoyed completely by data subjects and is not a right that is without limitation.
Data subjects are, therefore, cautioned to understand precisely what consent is provided when information is furnished to third parties, especially where, in due course, that information may be embarrassing and through one or more potentially ill-considered steps is placed in the public domain.
The right to be forgotten in South African law is based on a right of a data subject to request that certain information be deleted or destroyed. However, the processor of the information is not obliged to do so, especially in circumstances where the information may be retained with due justification in terms of the provisions of POPIA, which leaves South Africans not so much with the right to be forgotten as the right to ask to be forgotten.
The question is what information is out there about you that may be embarrassing or cause some degree of discomfort if placed into the wrong hands or viewed by a prospective employer, an intended fiancé or new spouse or even your children? The next question is what can you do about the life span of that information?
Whether or not section 24 of POPIA sufficiently protects the privacy of data subjects, as guaranteed in the Constitution of the Republic of South Africa, 1996, will be tested as information regulation becomes a way of life under a POPIA regime.