Privacy, Data Privacy, Data Protection, Privacy Law, Privacy Rights
By Esther Nkechinyere Odunze
The Internet Always Remembers
The internet never forgets. This seemingly casual sentence posits that the web can be as useful as possible but dreadful if you do not like what it finds about you. The right to be forgotten, which is also known as the right of erasure, enables individuals to request the deletion or removal of their personal data found on online platforms or databases. The request is made by data subjects to data controllers or processors, where such data is no longer necessary for the purposes for which it was collected or processed.
The right to be forgotten can be traced to the landmark case of Google Spain SL, Google Inc v. Agencia Española de Protección de Datos, Mario Costeja González (2014). Mr Costeja González, a Spanish national resident in Spain, lodged a complaint before the European Court of Justice (“the CJEU”) against Google Spain and Google Inc that upon entry of his name on Google Search, the information associated with his name was a time in 1998 when his property was put up for auction in connection with attachment proceedings for the recovery of social security debts. He contended that the attachment proceedings had been fully resolved for a number of years and that reference to them was now inaccurate and offensive. Thus, he demanded the deletion of the information.
In its ruling, the Court of justice compared the privacy rights of Mr Costeja over Google’s economic interest. With this decision, the Court found that Google had the obligation to erase the personal data of Mario Costeja Gonzalez on its search engine upon his request. Thus, this decision became a locus classicus as it acknowledged the right to be forgotten for data subjects and the pertinent obligation of the data controller and was subsequently codified in the European Union General Data Protection Regulations (“GDPR”).
The Nigerian Data Protection Regulation 2019 (NDPR) recognizes the Right to be Forgotten. Under Section 3.1(9) of the NDPR, individuals have the right to request the erasure of their personal data where:
The data is no longer necessary for the purpose for which it was collected or processed.
The individual withdraws their consent on which the processing of their data was based and there is no other legal ground for such processing.
The individual objects to the processing of their data and there are no overriding legitimate grounds for such processing.
The personal data was unlawfully processed.
The personal data has to be erased in compliance with a legal obligation in Nigerian law.
Data controllers and processors are required to act promptly and respond to requests for erasure within 30 days of receipt of such requests. Where it is not possible to comply with a request for erasure, the data controller or processor must provide reasons for such non-compliance to the individual who made the request.
It is important to note that the right to erasure is not an absolute right, as it is subject to certain limitations. For instance, data controllers and processors may refuse to erase personal data where it is necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation, or for the establishment, exercise, or defense of legal claims.
As impressive as this right of erasure is in entrenching the right to privacy, it has raised several issues that have been widely debated. First is the risk of censorship of publicly available information. It has been argued that the right can be abused to control the press and hide facts that would ordinarily be accessible to the public. The second issue is the territorial limitation. The decision in Google v CNIL clarifies that while EU residents have a right to be forgotten flowing from the GDPR, its territorial limitation is only applicable to the EU states. Information on sites like Google are ubiquitous. This begs this question, how forgotten can the deleted information be in light of territorial limitation? This a question worth answering by the Nigerian courts.
Another issue is the challenges in enforcement. The implication of this right is that there would be floods of requests. In that regard, search engines and sites like Google would need to set up an automated process to handle such requests. This would cost a huge amount of money to implement. There is also the issue of balancing the right to be forgotten against public and economic interest. A line has to be drawn on when an individual’s right to privacy should overweigh public interest.
In conclusion, the Right to be Forgotten is an essential aspect of data protection under the NDPR. However, this subject is very much novel under the Nigerian Law as there has been no case law or judicial authority on the right to be forgotten. As important as it is for data controllers to comply with the NDPR’s requirements and take adequate measures to protect personal data to avoid liability and penalties for non-compliance, it is also crucial for judges to undergo trainings on the principles of the NDPR and the rights of Data Subjects in anticipation of litigation on privacy rights. Notably, different techniques have been proposed as an alternative to total erasure of data. Examples are data minimisation techniques such as anonymisation, encryption and pseudonymisation of data. How effective is this approach considering that the information sought to be deleted may have been published in paper prints and sold to the general public? What, then, is the better approach?
Originally published by Esther Nkechinyere Odunze on Medium
Reach Esther Nkechinyere Odunze on LinkedIn.