Abstract.
This article analyzes an individual’s right to privacy on the internet alongside the right to complain to the different internet engine servers the to be forgotten/ De-indexing" or "De-referencing on the Internet.
This comes at a time where Uganda’s cyberspace is becoming an avenue for cyber crimes leaving majority injured and this is specifically done when personal data is being included in social networking sites, homepages, blogs, tweets, thus leaving such internet users vulnerable.
This article therefore, intends to find out whether an individual who intends to enforce the right to be forgotten does not in the long run deny people other liberties such as the freedom of expression online and people’s right to access information about a person. What next after the European court of Justice modified the law on the right to be forgotten but left no winners? What can Uganda do to observe the right to be forgotten on the internet without denying others their rights to express themselves? and any possible recommendations to ensure adherence of this right of privacy/ the right to be forgotten.
Introduction and Background
Uganda like all other places in the world, is gaining momentum in terms of quick access to information through the various online tabloids and digital news outlets, which has been largely attributed to the rapid increase of smartphone users, the recent data by Digital Uganda 2021[1] revealed that about 12.16 million internet users in Uganda in January 2021, which increased by 1.5 million (+14%) between 2020 and 2021 and the Internet penetration in Uganda stood at 26.2% in January 2021. This has had benefits such as easy implementation of government initiatives (specifically the E-governance)[2]
The flipside of the coin to this is that most internet users have been subjected to cyber crimes due to the mushrooming news outlets(blogs in particular) on the internet that are quick to break news,-‘accurate or not’, spreading political propaganda and smear campaigns against celebrity profiles, that has left many internet users vulnerable, case in point is Faridah Nakazibwe v Red Pepper Decided by the Media Council of Uganda[3] wherein in a period of one year, the local tabloids wrote 38 articles defamatory articles about Faridah Nakazibwe and also used her pictures without her consent. Thus invading on her right to privacy and subjecting her to mental anguish, and a lowered esteem in the eyes of her children, family and society. Thus, Red paper was ordered to pay her a fine amounting to Shs45 million shillings.
That notwithstanding the fact that the discrimination a person can be subjected to when applying for a job, since today most job recruiters would like to first search about the applicants profile on the internet, the question is what if the links leading to the search are based on falsehoods by actions of 3rd parties, inconclusive information and basically propaganda, and smear campaigns even though the Employment Act 2006 under Section 6 (3)[4]is to the effect that discrimination in employment shall be unlawful and for the purposes of this Act, discrimination includes any distinction, exclusion or preference made on the basis of race, colour, sex, religion, political opinion, national extraction or social origin, the HIV status or disability which has the effect of nullifying or impairing the treatment of a person in employment or occupation, or of preventing an employee from obtaining any benefit under a contract of service.
So the job recruitment agencies that base their preference on whom to employ judging on web searches and different links provided by the different search engines violates their rights, on access to employment and being fired sometimes.[5]
The Development of the Right to be forgotten/ De-indexing" or "De-referencing on the Internet.
The Right to be forgotten which is also referred to as "de-indexing" or "de-referencing" is a term used in the context of search engines and service providers i.e. Google, Yahoo, Ask.com, and Bing, among others simply means the right of an individual to make a complaint to the different service providers that the links about a person be removed if they contain information which is usually posted by 3rd parties and is inconclusive (in the sense that it creates doubt, irrelevant or no longer relevant."
This right is provided for under Article 17 of the GDPR (European Union’s Law on General Data Protection Rules)[6], which states as follows;
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.
This same principle is also envisaged in our law on the rights of the data subject under Section 28 of The Data Protection and Privacy Act 2019[7]which guarantees the data subject the right to rectification, blocking, erasure and destruction of personal data.
1. Where the Authority[8] is satisfied on a complaint of a data subject that personal data on that data subject is inaccurate, the Authority may order the data controller to rectify, update, block, erase, or destroy the data.
2. Subsection (1) applies whether the data is an accurate record of information received or obtained by the data controller from the data subject or a third party.
3. Where the data is an inaccurate record of the information, the Authority may direct the data controller to update the statement of the true facts which the Authority considers appropriate.
4. Where the data complained of has been rectified, blocked, updated, erased or destroyed, the data controller is required to notify third parties to whom the data has been previously disclosed of the rectification, blocking, updated, erasure or destruction.
Case Law Development on the Right to be forgotten.
The locus classicus case on the right to be forgotten is the decision of Google Spain SL and Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez[9], which was heard by the Court of Justice in May 2014.
The facts briefly are, In 1998, La Vanguardia newspaper of Spain published two articles concerning an attachment and garnishment action against Costeja González. In 2009, Costeja González contacted the newspaper, asserting that when his name was entered in Google.com, there was still a reference to the pages of the newspaper concerning the legal action. González argued that the information should be removed because the proceedings were concluded years earlier and that there was no outstanding claim against him. The newspaper, however, denied his demand, claiming that the legal action was published pursuant to an order by Spain’s Ministry of Labor and Social Affairs. Then in 2010, he contacted Google Spain, arguing that the online search results of his name should not make reference to the newspaper’s publication of his legal proceedings.
Upon Google’s failure to comply, González brought a complaint before Spain’s Data Protection Agency against the newspaper, Google Spain, and Google Inc. The Agency dismissed the action against the newspaper, reasoning that the publication was made pursuant to a government order. But it upheld the complaint against Google and its subsidiary, Google Spain. It held that because the operators of Internet search engines process personal data, they are subject to relevant privacy legislation and can be under the obligation to remove information that compromise the fundamental right to privacy.
Subsequently, Google Inc. and Google Spain brought separate appeals against the decision. The National High Court of Spain decided to stay the proceedings as the assessment of Google’s obligation to protect personal data that are otherwise published on third parties’ websites.[10]
The judgment of the highest court was in favor of Mr. Gonzalez and against Google, as the court held that the fundamental right to private life and protection of personal data is guaranteed under Articles 7 and 8 of the European Charter (Frantziou, 2014). Search engines have the innate ability of finding information about personal life from multiple sources that are displayed on the search results. This form of personal data can be interlinked with each other and can also create a detailed profile of the individual (Frantziou, 2014).
Under such circumstances, Google search engines were held to be controllers of data, and Google Spain was directed to have control over what kind of information is displayed on its search engines. Right to privacy and protection can allow an individual to seek deletion of any information that they do not want the search engines to list (Bernal, 2014)[11]
Conclusion of the Court’s ruling.
The Court ruled that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” [para. 88][12]
The Contrast of the Right to be Forgotten.
The Court held that individuals whose personal data are publicly available through Internet search engines may “request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results” as their rights to privacy and protection of personal data override “not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.” [para. 81][13]
The Court, however, emphasized that the right to initiate such request may cease to exist when access to personal information “is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.” [para. 99][14]
Relation of the Right to be forgotten in Uganda.
The Constitution of Uganda under Article 27 (2)[15] provides for the protection of every individuals right to privacy, clause (2) states that; No person shall be subjected to interference with the privacy of that person's home, correspondence, communication or other property.’ This basically means that every individual has a right to his privacy and if anyone violates this right on the internet through 3rd party outlets such as publication of defamatory content about such a particular individual, the legal position on the right to be forgotten which is synonymous with data protection, as stated under Section 28 of the Data Protection and Privacy Act, 2019 that gives the data subject a right to complain to the Authority for the data processors for Rectification, blocking, erasure and destruction of personal data.
It suffices to say that even though our laws have provided for remedies as observed in the various legislations[16], the option for legal recourse is rarely embarked on by most people due to financial incapability and also low levels of acceptability of cyber laws in courts which is a threat to legal experience, Lack of harmonization of laws and above all, lack of willingness to change the status quo[17] and when it’s pursued, sometimes the damage that is suffered by these victims of Cyber offences is in most cases beyond recourse.
Thus leading to one major question, whether internet users who have suffered online injustices can complain the different internet servers, or search engines to have information that is not conclusive and in most cases violates their right to privacy, have these links pulled down or any searches that links them such is deindexed.
The Legal Conundrum it creates.
The law on the right to be forgotten, for all its intent and purposes is very good law, but it creates a fusion within the right to freedom of expression and access to information; Article 29 (1, a) of the Constitution which is to the effect that, ‘Every person shall have the right to-; (a.) freedom of speech and expression, which shall include freedom of the press and other media’ and supreme court has already made its position clear on Freedom of expression in the case of Charles Onyango Obbo and Anor versus the Attorney General[18]where Justice Mulenga observed that “Subject to the limitation under Article 43, a person’s expression or statement is not precluded from the constitutional protection simply because it is thought by another or others to be false, erroneous, controversial or unpleasant. Everyone is free to express his or her views. Indeed, the protection is most relevant and required when a person’s views are opposed or objected to by society or any part thereof, as “false” or “wrong”.[19]
This will definitely imply that content creators and online publishers have a right to express themselves this right is also recognized by UNESCO recognizes that the Internet holds enormous potential for development. It provides an unprecedented volume of resources for information and knowledge that opens up new opportunities and challenges for expression and participation. The principle of freedom of expression and human rights must apply not only to traditional media but also to the Internet and all types of emerging media platforms, which will contribute to development, democracy and dialogue[20]
However, it is worth noting that, the courts in the case of Google Spain SL and Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez[21]recognized that, ‘a search engine operator is not in the same position as a website publisher, since it did not cause the sensitive information to appear on the internet in the first place. After all, the search engine operator only provided a link to an existing website. In particular, the Court observed that the operator of a search engine is responsible, not because personal data appears on a web page published by a third party, but because the display of the link to that page in the list of results presented to users of the search engine is affecting the individual's fundamental right to privacy. Accordingly, the prohibition and restrictions would apply to search engine operators only after a request has been made by the relevant individual to remove the link in the search results to the page containing sensitive personal information, under the supervision of the competent national authorities.’[22]
The court's interpretation on the right to be forgotten is synonymous to the rights of a data subjects in the protection of their personal data and privacy which overrides “not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.” [para. 81] The Court, however, emphasized that the right to initiate such request may cease to exist when access to personal information “is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.” [para. 99]
The Development of the Case Law on the Right to be forgotten.
The law on the right to be forgotten has taken tremendous shape, as reported in an oxford article titled The Right to Be Forgotten is Taking Shape: CJEU Judgments in GC and Others (C-136/17) and Google v CNIL (C-507/17)[23] where it states that on the 24 September 2019, the Court of Justice of the European Union issued two judgments further delineating the scope of the right to be forgotten in the context of search engines.
In GC and Others (C-136/17)[24], where the Court decided that a search engine operator must only verify the lawfulness of its processing of sensitive data ex post, i.e. upon receiving a request for de-referencing. While lowering the level of protection of the right to data protection, this decision has to be understood as an act that brings the processing of sensitive data by search engines out of the grey area caused by the Court’s decision in Google Spain and Google (C-131/12)[25] and into the sphere of legality.
In Google v CNIL (C-507/17)[26], the Court had to determine the territorial scope of the right to be forgotten. It established a general rule of EU-wide de-referencing in connection with measures preventing or at least seriously discouraging access to non-EU search results. This leaves space for non-EU States to find their own balance between data protection and freedom of information. Both decisions can be considered a balancing act of the Court in attempting to reconcile the often very diverging rights and interests of the involved subjects, this time mostly at the expense of the right to data protection.
More to this in the case of Garcia v. Google,[27]here actress Cindy Lee Garcia who responded to a casting call for an upcoming movie called ‘Desert Warrior’, an action-adventure film. In her cameo role, Garcia spoke two sentences for a total of five seconds airtime. Unknowingly to her, the writer-director used her lines in a different film called Innocence of Muslims. Film producers showed Garcia but dubbed over her originally spoken lines with “Is Your Mohammed a child molester?” As a result of this dub, which was broadcast over YouTube, Garcia received death threats.
Garcia asked Google to remove the film. She later sued Google for invasion of privacy, intentional infliction of emotional distress, copyright infringement, and other causes of action.[28].
The Ninth U.S. Circuit Court of Appeals affirmed the dismissal of her lawsuit in Garcia v. Google (2014). “Ultimately, Garcia would like to have her connection to the film forgotten and stripped from YouTube,” the Ninth Circuit wrote. “Unfortunately for Garcia, such a ‘right to be forgotten,’ although recently affirmed by the Court of Justice for the European Union, is not recognized in the United States.”[29]
Therefore besides the law on the right to be forgotten being more applicable in Europe and only enforceable by the European court of Justice, that not limiting other countries that have legislations in place to cater for those rights. for example the data protection Act in Uganda.
However, it’s worth noting that courts are still reluctant to grant this right to be forgotten, because it might not only be misapplied in countries that struggle to enforce the rule of law but might also be used to curtail free speech and expression online thus leading to an absurdity,
This notwithstanding the fact that there are no international guidelines or rules that define how the right to be forgotten is to be exercised globally. Google’s response to the case[30] has been that international law does not allow one country to impose its rule upon the citizens of another country. Google has also stated that individuals should be allowed the freedom of information to gain access to valuable data about other people or companies with whom they are about to engage in business.[31]
The Right to Privacy online in a Limbo.
So what next after the European court of Justice streamlined the application of the right to be forgotten/ enforcing one’s right to privacy?
Doesn’t this leave most people’s safety online in a limbo?
In 2016, UNESCO published a report titled Privacy, Free expression and transparency‘Redefining their new boundaries in the digital age Communication and Information Sector[32] where it reveals under Chapter 2.1 The death of privacy in the digital age? The report thus stresses that “death of privacy” in the 21st century was first predicted 15 years ago, inspired by accelerations in the development of technology.[33]
Though the claim seems a bit exaggerated, the reasons underlying the conclusion drawn at that moment in time are still valid today in their capturing of the wide-ranging and frightening threats to individual privacy.[34] Most threats foreseen by the technical community have not failed the prediction. Rather, their presence has intensified by more advanced and unpredicted technologies.
Similarly, the predominating threats to individual privacy in the past decade have gradually shifted from the offline, physical world to an online, virtual world, and the centre of privacy protection has accordingly moved from physical to informational privacy,[35] in the context of digitization and connectivity. Such threats to privacy, like the corresponding benefits, can be witnessed at different levels, including the individual, societal, national, and international levels.
The report recognizes the various ways Privacy has been compromised, At an Individual level, where it’s reported that, individuals become increasingly vulnerable to privacy invasions as they depend more on the use of the Internet to carry out their daily activities and thus they disclose more of their personal data to others.
The risk comes from both the fact that personal data becomes progressively digitized and as a result of it being stored in several devices and locations. For instance, the personal data stored in a smartphone contains, in the eyes of the U.S.A. Supreme Court ‘...a broad array of private information never found in a home in any form—unless the phone is [there]...’ The Supreme Court goes on to state that smartphones are ‘...in fact minicomputers that also happen to have the capacity to be used as a telephone...’and that such computer systems ‘...can be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers...’[36].
Mounting online threats include hacking, identity theft, fraud, phishing, pharming, spoofing, profiling, spyware, tracking cookies, online witch hunting, bullying and stalking, which may involve a wide range of actions, including the unwanted disclosure of a user’s personal information (sometimes known as “doxing”).
This can be achieved either through the subject’s intentional or unintentional online activities and/or through others’ uploading of the subject’s digital information acquired offline—such as video images or sound tracks—in the absence of the subject’s consent and/or outside the data subject’s immediate control.
Such privacy-invading actions can cause data subjects a wide variety of damages, including the prompting of suicidal thoughts or actions due to the victim’s loss of critical elements of human life, such as safety, personal identity, autonomy and dignity. These examples are evidence of how traditional boundaries between the public and the private, between the physical and the virtual, and between the past and the present are collapsing.
The other ways is at corporate level where, private business corporations may nowadays risk becoming a major source of privacy invasion, in many ways and for various reasons.[37] Firstly, private ICT companies can misuse personal data that they collect in their daily business for economic benefits, exploiting the increasing value of data as a currency of the information economy.[38] Secondly, the collection and processing of personal data are now key to some companies’ business models, to the point that some models involve the collection of private information either as a core part of the business or as a means to enhance efficiency, convenience and quality of service.[39]
The report thus recognizes a vital concern in regards to Freedom of expression online: enlarged but endangered, it revealed that issue of access to information is a complex issue. As the Internet becomes a world forum involving all its users, and a world archive that stores each piece of information uploaded, powered by increasing decentralization and technology developments in data storage, it poses new and special risks and challenges.[40] For instance, a challenge to human society relates to the notions of ‘data persistence’ and ‘data retention’ – the idea that the Internet never forgets.[41]
While a human being has a moral right to grow and develop by learning from past mistakes, and therefore deserves a second chance to start over from the past, the Internet provides a social environment that may inhibit or deny such a chance. Indeed digital footprints—i.e. the traces or «footprints» that people leave online over time—may lead or encourage spectators to blend a person’s past with the present, missing out on substantial changes and discontinuities[42], pass ill judgement about the subject, and/or stifle individual development.
This is the stated reason why the European Court of Justice (ECJ) has decided in the Google Spain case to limit access to the litigant’s past information on the Internet.[43] Nonetheless, the scope of “the right to be forgotten” is debatable.[44]
What next after the European Court of Justice’s two divisive decisions.
The court has made it clear that the right to be forgotten must not be misinterpreted or misapplied to enable the removal of online content.
First, Google and other search engines are tasked with the responsibility of conducting a delicate exercise of balancing rights, when they have no democratic mandate to do so.[45]
They must ensure the protection and promotion of the rule of law; i.e., it must always be up to the courts and independent public regulators to interpret and to evaluate the application of the right to be forgotten.
Therefore, private actors should not be put in a situation where they have a de facto judicial role over content and are required to weigh data protection against freedom of information. Until a legal and political solution to this problem going beyond the right to be forgotten is found, courts, DPAs, and free expression experts should work together to provide further guidance to search engines on how to implement the right to be forgotten in a rights-respectful manner.[46]
Challenges facing the Right to be forgotten.
The fundamental technical challenge in enforcing the right to be forgotten as revealed in the report[47] of ENISA[48]The right to be forgotten – between expectations and practice, that the challenge lies in
(i) Allowing a person to identify and locate personal data items stored about them;
(ii) Tracking all copies of an item and all copies of information derived from the data item;
(iii) Determining whether a person has the right to request removal of a data item; and,
(iv) Effecting the erasure or removal of all exact or derived copies of the item in the case where an authorized person exercises the right.
In a completely open system like the (vast) public portion of today’s world-wide web, anyone can make copies of a public data item and store them at arbitrary locations. Moreover, the system does not account for the number, owner or location of such copies.[49]
In such an open system it is not generally possible for a person to locate all personal data items (exact or derived) stored about them; it is difficult to determine whether a person has the right to request removal of a particular data item; nor does any single person or entity have the authority or jurisdiction to effect the deletion of all copies. Therefore, enforcing the right to be forgotten is impossible in an open, global system, in general.[50]
In an open system such as the public portion of the Internet, on the other hand, principals with online identities that cannot be reliably linked to a natural person can access public data. These principals are capable of further distributing the information to other untrusted parties, possibly resulting in a massive replication of data. In such a system, there is no generally applicable, technical approach to enforce the right to be forgotten.[51]
This case is common in the Internet, e.g., when personal data is being included in social networking sites, homepages, blogs, tweets, etc. it is important to understand that regardless of the type of information system, unauthorized copying of information by human observers is ultimately impossible to prevent by technical means.[52]
Challenges faced enforcing the right to be forgotten in Closed Systems.
A distinction is given on a closed system and an open system in terms of processing personal data[53] A closed System is one in which all components that process, transmit or store personal information, as well as all users and operators with access to personal information can be trusted or held accountable for respecting applicable laws and regulations concerning the use of the private information.
Therefore, one of the challenge that enforcing the right to be forgotten in closed systems is explained as follows; - A more complex type of closed system is an industry that shares personal information and is regulated by the government regarding the use of this information.
For instance, the United States health care industry (health providers, insurance companies, and health care billing companies) as well as employers share patient records, and are jointly responsible for handling this information in accordance with Title II of the US Health Insurance Portability and Accountability Act (HIPAA).[54] Participating companies and organizations are trusted and held accountable for their appropriate use of personal information.
The system is closed because all parties with access to the personal information are held accountable for their compliance with the law, and all personal information remains with the jurisdiction of the USA.[55]
In principle, the “right to be forgotten” can be implemented in such a system. In practice, however, privacy breaches in the healthcare sector are not uncommon, nor are losses of credit card information in the banking industry. This suggests that enforcing the right to be forgotten may be challenging even in closed systems.[56]
The report examines the fact that even in closed systems; all users with access to personal information must be trusted to respect applicable privacy laws, because it is very difficult to ensure compliance by technical means alone.
Challenges faced while enforcing the right to be forgotten in Open Systems.
With open networks such as the Internet, information accessible to the public typically cannot be kept under the control of the user who originated the data. The reason is that data can be digitally copied, stored locally, and re-entered into the Internet, often in different locations for different purposes.
Such digital copying and re-insertion of arbitrary data cannot be generally prevented by technical means, unless one is able to make very strong assumptions about the underlying software and/or hardware, as in Digital Rights Management (DRM).[57] Such strong assumptions introduce additional technical and economic challenges, and often meet with limited public acceptance.
Moreover, it remains unclear if even these strong measures can solve the problem entirely. For instance, digital rights management requires a cryptographic infrastructure to protect the desired content, and the corresponding software programs have to be tailored to support DRM. Nevertheless, expert attackers can circumvent DRM with modest effort.[58]
It is thus fair to say that digital duplication cannot be prevented in general in open networks. However, it is worth pointing out that even if one assumed that direct digital duplication can be excluded by technical means, there exist additional ways to effect data duplication which are even harder to prevent.
For instance, taking a photograph of the screen while personal data is being displayed, or rerecording a private conversation using a microphone while it is being replayed cannot be prevented without physical screening of all listeners. Such re-captured information can be reinserted in the Internet.[59]
Finally, truly public information such as important news typically exist in a variety of different forms, both in various digital places, as well as in non-digital newspapers, radio, etc. There is no technical way to make this data forgotten.[60]
Conclusion and Recommendations
It can be argued that the right to be forgotten has twists and turns, simply because proponents in support of this move argue that every person has an inviolable right to their privacy, and any attempts to violate that right even online for whatever intents and purposes shouldn’t go unpunished since the internet search engines are data controllers
According to the decision of Google Spain vs. AEPD[61]ruled, as to whether Google search engine must be regarded as a “controller” of processing personal data, the Court was of the opinion that the concept of “controller” within the Directive must be interpreted broadly in order to ensure “effective and complete protection of data subjects.” [para. 34] And that it would be contrary to the objectives envisioned in the Directive to exclude the operators of Internet search engines as “they play a decisive role in the overall dissemination of [personal] data.” [para. 36][62]
This implies that an individual’s right to privacy supersedes the right to the economic interests of internet search engines and freedom of expression of the 3rd parties. even though caution and moderation should be exercised as court seeks to enforce this right so as to avoid trumping on people’s freedom of expression and right to access information.
It is worth stating that, the modification of rule in Google Spain vs. AEPD[63]in the case of GC and Others (C-136/17)[64] and Google v CNIL (C-507/17)[65]in that court observed that the right to be forgotten only applies to Europe and if other countries wish to enforce this right, they should enact it within their domestic legislation.
Uganda has had its share of weaknesses in implementing the laws that are very good and I believe that with the presence of the Data Protection and Privacy Act, 2019, there will be a quick remedy for internet users whose rights are constantly violated online in the pretext of freedom of expression and speech.
To summarize, all existing technical approaches to ensure the right to be forgotten are vulnerable to unauthorized copying while the date is publicly accessible and a re-dissemination of such unauthorized copies once the data has expired.
Therefore, the right to be forgotten cannot be ensured using technical means alone. A possible partial solution may be a legal mandate aimed at making it difficult to find expired personal data, for instance, by requiring search engines to exclude expired personal data from their search results.[66]
Recommendations that suggested.
First the application of this right to be forgotten should first be mooted by the policy makers of the different countries before going to directly enforce the Judgements of EU Court of Justice.
That notwithstanding a position paper[67] by access now[68] where the report suggests that a right to de-list must be limited to the sole purpose of protecting personal data, ‘Legislators should advance measures to establish a right to de-list solely as a data protection measure. Under no circumstances should such a right be established in the context of defamation legislation or legislation protecting honour.’
Further, the right to de-list must be embedded within a comprehensive data protection framework. If no comprehensive data protection law exists, establishing a right to de-list should be put on hold.[69] In relation to Uganda, the enforcers of this right to be forgotten must comply with the provisions stated under Section 28 of the Data Protection and Privacy Act 2019[70]and Section 39 of the Data Protection and Privacy Regulations Act 2021[71]which states the procedure for the right for a data subject to ask for erasure of deletion of any material that infringes of their right to privacy among others.
The other recommendation that has been suggested is that the criteria for de-listing must be clearly defined in comprehensive data protection legislation to avoid interference with human rights, in the context of Uganda, this includes the right to freedom of expression under Article 29 (1, a) of the Constitution[72]together with Article 41 of the Constitution that allows individuals to access information, even that which is in possession of the state.'
Therefore, it has been suggested that, Lawmakers must clearly define the criteria that govern de-listing requests in comprehensive data protection legislation. The ability to de-list must not interfere with human rights, including the right to freedom of expression and access to information. Under no circumstances should a right to de-list lead to the deletion of online content. Web addresses may be de-listed in specific search results, but the content must remain online. The specific de-listed URL must also remain in the search engine index, so it can be found when users conduct a search that does not include the name of the individual who requested the de-listing.[73]
Most of all, appointing competent judicial authorities who should interpret standards for determining what is de-listed, this principle follows an old dictum that was laid down by Lord Hewart in the case of Rex v. Sussex Justices[74]where he stated that, “Justice must not only be done, but must also be seen to be done” this therefore means that while seeking to enforce the right to be forgotten, the duty and responsibility should be entirely for the courts to interpret and clarify the de-listing criteria set by the law, and to evaluate its application, if necessary.[75]
Therefore, Private actors should not be required, nor should they be authorized, to determine the validity of a de-listing request, and they should not be put in a situation where they have a de facto judicial role over content. Moreover, if the legislation is not clear regarding liability, companies may perform excessive de-listing of content, risking unnecessary, disproportionate limitation of free expression outside the rule of law. Instead, search engines should follow clear assessments from or direct orders by, competent judicial authorities.[76]
More still, The right to de-list must be limited in scope and application, just as its stated under the principles of data protection as stated under Section 3 of the Data Protection and Privacy Act, 2019 provide among others the principle of minimality as observed under Section 14 of the Data Protection and Privacy Act, and as also stated by Lee A. Bygrave in his book Data Privacy Law[77] that; the amount of personal data collected should be limited to what is necessary to achieve the purpose(s) for which the data is gathered and further processed, This principle goes under a variety of other terms as well, such as ‘data avoidance’ and ‘data frugality’[78]
Then the principle of purpose limitation[79] Personal data should be collected for specified, legitimate purposes, and not used in ways that are incompatible with those purposes; This Principle has two limbs. As stated by Peter Caray[80] the first limb imposes an obligation on the controller to make known (‘specify’) the purposes for which the data are required. Further, such notice must be explicit and the purposes of the processing must be legitimate. The requirement to make available certain information to data subjects.
Therefore, it is against that backdrop that the implementation of a right to de-list should be limited to a “data controller”[81] It should not be extended to services such as social media platforms where individual users have control over the information displayed. To avoid search engines taking action outside the rule of law, lawmakers must carefully consider the geographical application of a right to de-list.[82]
An absolute interpretation, where the right is limited either to one jurisdiction, or applies to all jurisdictions, raises challenges. The internet is global in nature and widespread use of tools such as Virtual Private Networks could mean that de-listed content will remain accessible in a country where it is meant to be obscured.
Moreover, the information that users wish to de-list in searches using their names might have cross-border or local implications that argue against delisting. It is therefore necessary to develop case-by-case assessment to evaluate which approach provides the highest level of protection to users’ rights in each case.[83]
Another point in hand is the fact that search engines must be transparent about when and how they comply with de-listing requests, the report suggests that, Search engines implementing de-listing requests must be transparent about their internal compliance process. Companies that offer search engine services should publish transparency reports regularly, illustrating how they comply with the right to de-list through policy and practice by providing aggregate statistics on requests and how often they are rejected, among other data.[84]
If a comprehensive data protection law is in place, and a court order based on the law is issued that requires search engines to assess de-listing requests, companies must be transparent about how they make such evaluations and what safeguards are in place to ensure that individuals’ rights to privacy and free expression are respected.[85]
Lastly, the position paper suggests that users must have easy access to remedy, this implies that whether the search engine has accepted or rejected a de-listing request, users should have easy access to remedy and a process to challenge the decision at either their local data protection authority or in court.
As also stated under Section 28 of the Data Protection and Privacy Act 2019, and Section 33 of the same Act that gives a remedy of compensation for failure to comply with the Act, Where a data subject suffers damage or distress through the contravention by a data controller, data processor or data collector of the requirements of this Act, that data subject is entitled to apply to a Court of competent jurisdiction for compensation from the data collector, data processor or data controller for the damage or distress. In proceedings against a person under this section, it is a defence to prove that the person took reasonable care in all the circumstances to comply with the requirements of this Act.
It is important to note that remedy of delisting is only possible if the search engines are not tasked with assessing de-listing requests. Otherwise, the assessment would become an internal commercial decision which, logically, cannot be legally challenged — as a search engine cannot be forced to re-list content. Under no circumstances should laws and corporate policies limit the user’s right to seek judicial remedy regarding a de-listing request.[86]
Particular care must be taken concerning the deletion of personal data stored on discarded and offline storage devices.[87]
Data controllers should be required to provide users with easy access to the personal data they store and ways to update, rectify, and delete data without undue delay and without cost to the user (to the extent that this does not conflict with other applicable laws).[88]
Develop techniques that aim at preventing the unwanted collection and dissemination of information (e.g., robot.txt, do not track, access control)[89]
Above all, legal action must be sought for against perpetrators of these cyber crimes as observed under Section 35 of the Data Protection and Privacy Act, 2019 wherein, it’s to the effect that, ‘A person shall not unlawfully obtain, disclose or procure the disclosure to another person of personal data held or processed by a data collector, data controller or data processor. A person who contravenes this section commits an offence and is liable on conviction to a fine not exceeding two hundred and forty currency points or imprisonment for ten years or both.’
This article analyzes the right to be forgotten on the internet alongside the modifications in case law made by the European Court of Justice since this right as much as it is now highly practiced in European courts but it is not limited to courts of other jurisdictions, which might seek to enforce this same right.
It thus implies that the different data protection agencies and officers must assist in making legislation, but also enforce every individual’s rights to privacy but not limiting this to the constitutional requirements on freedom of expression online and people’s right to access information.
By
Waboga David
Uganda Christian University (Final Year Law Student).
Bibliography
1. The Constitution of Uganda 1995
List of Statutes. (Domestic Legislation)
1. The Computer Misuse Act, 2011
2. The Data Protection and Privacy Act, Act 9 of 2019
3. The Data Protection and Privacy Regulations, 2021
4. The Employment Act 2006
5. The NITA-U Act 2009.
List of Statutes. (International Legislation)
1. The General Data Protection Regulation (GDPR) OF 1998 Retrieved from https://gdpr-info.eu/art-72-gdpr/
Case Law.
1. Charles Onyango Obbo and Anor versus the Attorney General (Constitutional Appeal No. 2 of 2002).
2. Faridah Nakazibwe v Red Pepper Decided by the Media Council of Uganda Retrieved from https://observer.ug/news/headlines/57699-red-pepper-ordered-to-pay-shs-45m-to-ntv-s-nakazibwe.html) Accessed at 12/22/2021 8:55:34 AM
3. Garcia v. Google, Inc., 771 F.3d 647 (9th Cir. 2014) full case available at https://h2o.law.harvard.edu/collages/34510 Accessed at 12/23/2021 4:05:05 AM
4. GC and Others (C-136/17)
5. Google Spain and Inc. v. Agencia Española de Protección de Datos(AEPD)and Mario Costeja González” C-131/12, 26 November 2014 Availablehttps://eurlex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A62012CJ0131 Accessed at 12/21/2021 1:50:47 PM
6. Google v CNIL (C-507/17)
7. Rex v. Sussex Justices, [1924] 1 KB 256
8. United States Supreme Court, Riley v. California 573 U.S. (2014)
BOOKS AND TEXTS
1. Lee A. B. Data Privacy Law An International Perspective ((First Edition published in 2014) Oxford University Press)
2. Peter C, Data Protection A Practical Guide to UK and EU Law ((5th Edn 2018) Oxford University Press)
3. Robert W, Et al Data Protection Law A Comparative Analysis of Asia-Pacific and European Approaches ((First Edition published in 2019) Springer Nature Singapore Pte Ltd. 2019)
4. Simson Garfinkel, (2001) Database Nation: The Death of Privacy in the 21st Century, Sebastopol: O’Reilly Media
OTHER ONLINE CONTENT
1. “Personal data is the currency of today’s digital market”. See Viviane Reding, “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age”, Speech, 22 January 2012, available at http://europa.eu/rapid/press-release_SPEECH-12-26_nl.htm.
2. ACCESS NOW POSITION PAPER: UNDERSTANDING THE “RIGHT TO BE FORGOTTEN” GLOBALLY Also available at https://www.accessnow.org/cms/assets/uploads/2017/09/RTBF_Sep_2016.pdf Accessed at 12/23/2021 7:55:46 PM
3. Australian Privacy Commissioner, “What Is Information Privacy and Why Do We Need to Protect It?”, August 1997, available at http://www2.austlii.edu.au/itlaw/national_scheme/national-PART.html.
4. Challenges of Implementing Cyber laws in Uganda Retrieved from https://summitcl.com/wp-content/uploads/2017/01/Challenges-of-Implementing-Cyber-laws-in-Uganda.pdf Available at 12/23/2021 1:38:16 AM
5. Court Decides On Two Major Right on Be Forgotten Cases There Are No Winners Here. Retrieved from https://www.accessnow.org/eu-court-decides-on-two-major-right-to-be-forgotten-cases-there-are-no-winners-here/ Accessed at 12/23/2021 10:26:56 AM
6. Digital Uganda 2021Retrieved from https://datareportal.com/reports/ digital-2021-uganda Accessed at 12/22/2021 8:27:39 AM
7. E-Governance Initiatives Retrieved from https://ict.go.ug/initiatives/e-governance/ Accessed at 12/22/2021 8:38:19 AM
8. Freedom of Expression on the Internet Retrieved from https://en.unesco.org/themes/freedom-expression-internet Accessed at 12/23/2021 2:57:22 AM
9. Google Spain SL v. Agencia Española de Protección de Datos (Sum overview) maryRetrieved from https://globalfreedomofexpression.columbia.edu/cases/google-spain-sl-v-agencia-espanola-de-proteccion-de-datos-aepd/ accessed at 12/21/2021 2:08:25 PM
10. Internet recruiting and employment discrimination: a legal perspective https://www.sciencedirect.com/science/article/abs/pii/S1053482298800028?via%3Dihub Accessed at 12/23/2021 11:37:41 AM
11. Privacy, Free expression and transparency ‘Redefining their new boundaries in the digital age Communication and Information Sector Published in 2016 by the United Nations Educational, Scientific and Cultural Organization : Report also available at https://unesdoc.unesco.org/in/documentViewer.xhtml?v=2.1.196&id=p::usmarcdef_0000246610&file=/in/rest/annotationSVC/DownloadWatermarkedAttachment/attach_import_fea85279-82ca-4a46-8818-a80d80ca5bb9%3F_%3D246610eng.pdf&locale=en&multi=true&ark=/ark:/48223/pf0000246610/PDF/246610eng.pdf#%5B%7B%22num%22%3A188%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2Cnull%2C0%5D Accessed at 12/23/2021 3:03:25 AM
12. Right to be Forgotten Case Retrieved from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3520390 accessed at 12/21/2021 2:11:49 PM
13. The European Network and Information Security Agency (ENISA) The right to be forgotten – between expectations and practice Available at https://www.enisa.europa.eu/publications/the-right-to-be-forgotten/view/++widget++form.widgets.fullReport/@@download/The+right+to+be+forgotten+-+between+expectations+and+practice.pdf Accessed at 12/23/2021 11:47:57 PM
14. THE FIRST AMENDMENT ENCYCLOPEDIA Retrieved from https://www.mtsu.edu/first-amendment/article/1562/ right-to-be-forgotten Accessed at 12/23/2021 4:09:05 AM
15. The right to be forgotten and the EU Court of Justice: Round 2 Retrieved from https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/the-right-to-be-forgotten-and-the-eu-court-of-just Accessed at 12/23/2021 3:30:00 AM
16. The Right to Be Forgotten is Taking Shape: CJEU Judgments in GC and Others (C-136/17) and Google v CNIL (C-507/17) Retrieved from https://academic.oup.com/grurint/article/69/4/380/5732807 Accessed at 12/23/2021 3:49:23 AM
17. Toby Mendel et al., (2012) Global Survey on Internet Privacy and Freedom of Expression, UNESCO Series on Internet Freedom, Paris: UNESCO, p. 98, available at http://www.unesco.org/new/en/communication-and-information/resources/publications-and-communication-materials/publications/full-list/global-survey-on-Internet-privacy-and-freedom-of-expression/
List of citations
[1] Digital Uganda 2021Retrieved from https://datareportal.com/reports/digital-2021-uganda Accessed at 12/22/2021 8:27:39 AM [2] E-Governance Initiatives Retrieved from https://ict.go.ug/initiatives/e-governance/ Accessed at 12/22/2021 8:38:19 AM [3] Faridah Nakazibwe v Red Pepper Decided by the Media Council of Uganda Retrieved from https://observer.ug/news/headlines/57699-red-pepper-ordered-to-pay-shs-45m-to-ntv-s-nakazibwe.html) Accessed at 12/22/2021 8:55:34 AM [4] The Employment Act 2006 [5] Internet recruiting and employment discrimination: a legal perspective https://www.sciencedirect.com/science/article/abs/pii/S1053482298800028?via%3Dihub Accessed at 12/23/2021 11:37:41 AM [6] The General Data Protection Regulation (GDPR) OF 1998 Retrieved from https://gdpr-info.eu/art-17-gdpr/ Accessed at 12/21/2021 1:23:07 PM [7] The Data Protection Act 2019 also available at https://media.ulii.org/files/legislation/akn-ug-act-2019-9-eng-2019-05-03.pdf Accessed at 12/21/2021 1:32:47 PM [8] “Authority” means the National Information Technology Authority - Uganda [9] Google Spain SL and Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez C-131/12 Full case available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 Accessed at 12/21/2021 1:50:47 PM [10] Google Spain SL v. Agencia Española de Protección de Datos (Sum overview) maryRetrieved from https://globalfreedomofexpression.columbia.edu/cases/google-spain-sl-v-agencia-espanola-de-proteccion-de-datos-aepd/ accessed at 12/21/2021 2:08:25 PM [11] Right to be Forgotten Case Retrieved from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3520390 accessed at 12/21/2021 2:11:49 PM [12] Supra 9 [13] Ibid [14] Ibid [15] The Constitution of the Republic of Uganda 1995 [16] The Computer Misuse Act, 2011 [17] Challenges of Implementing Cyber laws in Uganda Retrieved from https://summitcl.com/wp-content/uploads/2017/01/Challenges-of-Implementing-Cyber-laws-in-Uganda.pdf Available at 12/23/2021 1:38:16 AM [18] Charles Onyango Obbo and Anor versus the Attorney General (Constitutional Appeal No. 2 of 2002). [19] A detailed explanation on Is Freedom of speech a fact or an illusion covered with legal semantics. can be accessed here Is Freedom of speech a fact or an illusion covered with legal semantics? (lawpointuganda.com) Accessed at 12/23/2021 2:19:37 AM Also IS THE LEGAL RIGHT TO FREEDOM OF EXPRESSION IN UGANDA AN ATTAINABLE FACT OR AN ILLUSION...IS THE LEGAL RIGHT TO FREEDOM OF EXPRESSION IN UGANDA AN ATTAINABLE FACT OR AN ILLUSION... (lawpointuganda.com)Accessed at 12/23/2021 2:19:45 AM [20] Freedom of Expression on the Internet Retrieved from https://en.unesco.org/themes/freedom-expression-internet Accessed at 12/23/2021 2:57:22 AM [21] Supra 9 [22] The right to be forgotten and the EU Court of Justice: Round 2 Retrieved from https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/the-right-to-be-forgotten-and-the-eu-court-of-just Accessed at 12/23/2021 3:30:00 AM [23] The Right to Be Forgotten is Taking Shape: CJEU Judgments in GC and Others (C-136/17) and Google v CNIL (C-507/17)Retrieved from https://academic.oup.com/grurint/article/69/4/380/5732807 Accessed at 12/23/2021 3:49:23 AM [24] GC and Others (C-136/17) Full case available at https://curia.europa.eu/juris/document/document.jsf?text=&docid=218106&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1348479 Accessed at 12/23/2021 3:52:51 AM [25] Google Spain and Google (C-131/12)Full case available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62012CJ0131&from=en Accessed at 12/23/2021 3:56:18 AM [26] Google v CNIL (C-507/17)Full case available at https://curia.europa.eu/juris/document/document.jsf?text=&docid=218105&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1349742 Accessed at 12/23/2021 4:00:10 AM [27] Garcia v. Google, Inc., 771 F.3d 647 (9th Cir. 2014) full case available at https://h2o.law.harvard.edu/collages/34510 Accessed at 12/23/2021 4:05:05 AM [28] THE FIRST AMENDMENT ENCYCLOPEDIA Retrieved from https://www.mtsu.edu/first-amendment/article/1562/right-to-be-forgotten Accessed at 12/23/2021 4:09:05 AM [29] Ibid. [30] Supra 9 [31] Supra 11 at page 7 [32] Privacy, Free expression and transparency‘Redefining their new boundaries in the digital age Communication and Information Sector Published in 2016 by the United Nations Educational, Scientific and Cultural Organization : Report also available at https://unesdoc.unesco.org/in/documentViewer.xhtml?v=2.1.196&id=p::usmarcdef_0000246610&file=/in/rest/annotationSVC/DownloadWatermarkedAttachment/attach_import_fea85279-82ca-4a46-8818-a80d80ca5bb9%3F_%3D246610eng.pdf&locale=en&multi=true&ark=/ark:/48223/pf0000246610/PDF/246610eng.pdf#%5B%7B%22num%22%3A188%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2Cnull%2C0%5D Accessed at 12/23/2021 3:03:25 AM [33] See among others Simson Garfinkel, (2001) Database Nation: The Death of Privacy in the 21st Century, Sebastopol: O’Reilly Media [34] Ibid., pp. 10-12 [35] Physical privacy refers to the restricted access of others to our bodies, relationships and living spaces. See Keith Bauer, “Healthcare Ethics in the Information Age”, in Rocci Luppicini and Rebecca Adell, (2008) Handbook of Research on Technoethics, Hershey: Information Science Reference an imprint of IGI Global, p. 179. Information privacy refers to “the handling of ‘personal information’, that is, information about a particular person or information that can be used to identify a particular person”. See Australian Privacy Commissioner, “What Is Information Privacy and Why Do We Need to Protect It?”, August 1997, available at http://www2.austlii.edu.au/itlaw/national_scheme/national-PART.html. Information privacy and other related conceptions will be discussed further in Chapter 3. [36] United States Supreme Court, Riley v. California 573 U.S. (2014), paras. 21 and 17, available at https://supreme.justia.com/cases/federal/us/573/13-132/, accessed at 12/23/2021 3:20:19 AM [37] Supra 32 at pg.16 [38] “Personal data is the currency of today’s digital market”. See Viviane Reding, “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age”, Speech, 22 January 2012, available at http://europa.eu/rapid/press-release_SPEECH-12-26_nl.htm. [39] Toby Mendel et al., (2012) Global Survey on Internet Privacy and Freedom of Expression, UNESCO Series on Internet Freedom, Paris: UNESCO, p. 98, available at http://www.unesco.org/new/en/communication-and-information/resources/publications-and-communication-materials/publications/full-list/global-survey-on-Internet-privacy-and-freedom-of-expression/ . [40] In view of the copy-and-paste works done by individual Internet users and the bulk of data collected automatically online by web crawlers by different digital institutions including for example Google and the Internet Archive. [41] See in general Viktor Mayer-Schönberger, (2011) Delete: The Virtue of Forgetting in the Digital Age, New York: Princeton University Press. [42] Anita Allen, (2011) Unpopular Privacy: What Must We Hide?, Oxford, New York: Oxford University Press, p. 164. [43] Supra 9 [44] For instance, the implementation of the verdict to domain “.com” by Article 29 Data Protection Working Party. Article 29 Data Protection Working Party, Guidelines on the Implementation of the Court of Justice of the European Union Judgment on «Google Spain and Inc. v. Agencia Española de Protección de Datos(AEPD)and Mario Costeja González” C-131/12, 26 November 2014, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf . [45] Court Decides On Two Major Right on Be Forgotten Cases There Are No Winners Here. Retrieved from https://www.accessnow.org/eu-court-decides-on-two-major-right-to-be-forgotten-cases-there-are-no-winners-here/ Accessed at 12/23/2021 10:26:56 AM [46] Ibid [47] The European Network and Information Security Agency (ENISA) The right to be forgotten – between expectations and practice Available at https://www.enisa.europa.eu/publications/the-right-to-be-forgotten/view/++widget++form.widgets.fullReport/@@download/The+right+to+be+forgotten+-+between+expectations+and+practice.pdf Accessed at 12/23/2021 11:47:57 PM [48] The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks [49] Supra 47 at Pg.8 [50] ibid [51] Ibid [52] Ibid [53] Ibid [54] Ibid [55] Ibid [56] Ibid [57] Ibid [58] Ibid [59] Ibid [60] Ibid [61] Supra 9 [62] Ibid [63] Supra 9 [64] Supra 24 [65] Supra 26 [66] Supra 47 at pg.13 [67] ACCESS NOW POSITION PAPER: UNDERSTANDING THE “RIGHT TO BE FORGOTTEN” GLOBALLY Also available at https://www.accessnow.org/cms/assets/uploads/2017/09/RTBF_Sep_2016.pdf Accessed at 12/23/2021 7:55:46 PM [68] Access Now is an International Organization that defends and extends the digital rights of users at risk around the world. By combining innovative policy, global advocacy, and direct technical support, we fight for open and secure communications for all. [69] Supra 67 at pg. 2 [70] Supra 7 [71] The Data Protection and Privacy Regulations Act 2021 [72] Supra 15 [73] Supra 67 at pg.2 [74] Rex v. Sussex Justices, [1924] 1 KB 256 [75] Supra 67 at pg.2 [76] Ibid. [77] Lee A. B. Data Privacy Law An International Perspective ((First Edition published in 2014) Oxford University Press) pg.151 [78] As seen under The Germany’s Federal Data Protection Act Section.3(a) which employs the notions of ‘Datenvermeidung’ and ‘Datensparsamkeit’ [79] Supra 67 at Pg. 153 [80] Peter C, Data Protection A Practical Guide to UK and EU Law ((5th Edn 2018) Oxford University Press) Pg.34-35 [81] As stated under Section 2 of the Data Protection and Privacy Act 2019 “data controller” means a person who alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed; — such as a search engine. [82] Supra 67 at pg.2 [83] Ibid [84] Ibid [85] Ibid [86] Ibid [87] Supra 47 at pg. 18 [88] Ibid [89] Ibid
.jpg)
Comments