Introduction

With the advent of new technologies and the huge developments in web services; the nature of the processing, storage, and collection of data and information has changed dramatically. Today, it is comparatively much easier to reach data and information. The subject of those data can be anything, not to mention personal data. This can be a very positive thing because reaching information about people easily can be quite beneficial in some conditions. Yet, it also poses some major problems for persons and society in general. In some circumstances, one can desire his/her information to be deleted from the internet because of legit reasons. However, it is not always easy to delete data that had once been published on the internet. Considering the fact that there are countless receptors and publishers on the internet, it is very hard to delete information once it is uploaded.

The right to be forgotten and the protection of personal data is directly related to the problem stated above. In this article; their significance, history, and common features will be briefly explained and examined to create a better understanding of both of them.

The History of Right to Be Forgotten

Although the right to be forgotten developed and took its current shape recently, it has a long history that dates back to earlier centuries. It has been a matter of concern for many people because it is a human desire to have some degree of privacy. For instance, in 1867, there was a photo of Alexander Dumas' (famous writer) and his mistress' taken together in an inappropriate situation. Later, Alexander Dumas applied to French courts to take the photos back from the photographer who had taken them because the photographer was reluctant to hand them over to Dumas.1 The court ruled in favor of Dumas, stating that the right to privacy shall weigh over the property rights of the photographer. Today, the main discussions about the right to be forgotten still revolves around striking a balance between the right to privacy and other fundamental rights.

The reason this topic is gaining popularity in the 21st century is that forgetting data has become much more difficult. There are two main reasons behind making forgetting data harder. The first one is related to the memory capacities of human beings and the dependence of humans on them. In earlier centuries, it was much harder to store data and process it. For example, if one were to see a scene that involves a third person in an unpleasant situation, the third person would like that scene to be erased from the other person's mind. This would happen in the end because human brains are not able to store data for a long time with all the details and precision. Unpleasant information may be erased after a long period and lose its significance. However, with the advent of new technologies, the ability of humans to store data is almost limitless and uncontrollable. Technologic devices can store data as long as they are not deleted.

The second reason which makes forgetting data more difficult is again the technological developments. Just like technology makes storage easier, it also makes the spread and distribution of data easier too. A visual image on someone's brain is impossible to transmit, but a video record is perfectly suitable for being transferred to the third persons' brain. Considering these two developments in data technologies, deleting data matters a lot more because the potential harms of unwanted data are now a lot more serious. Below decisions of courts and institutions regarding the right to be forgotten and personal data protection are based on the awareness of these changes.

Approaches and Rulings

Since the circulation of data has become much faster and more widespread, annoyances of people whose data are present on the web became more prevalent. One of these annoyances caused a milestone decision which is probably the single most important legal document about the right to be forgotten up to that date. This ruling was given by the Court of Justice for the European Union (ECJ) in 2014 upon an application filed by a Spanish citizen.2 The motive behind the request was making his name gets deleted from the search engine Google because a newspaper had contained his name on its website in relation to a prior proclamation which showed that the applicant's assets were confiscated.

ECJ ruled that the applicant had the right to make that request and Google was under the obligation of erasing those particular search results if a request is made and certain preconditions were met. This decision became a precedent for many cases not only in the EU but throughout the world. Google established an office to deal with applications coming from people who wanted their data deleted and had stated in 2015 that it had received over 183,000 requests for removal since May 2014.3

Personal Data Protection

It is not possible to examine the right to be forgotten without mentioning personal data protection regime. The right to the protection of personal data is considered among the fundamental rights and freedoms and aims to protect the dignity and private life of individuals. Like the right to be forgotten, the right to personal data protection has become increasingly important. Especially after the 1970s, the developments in information technologies and the ensuing contraction of the personal spaces of individuals played an important role in the increasing significance of personal data protection.

As a result of these developments, existing legislations fell short of meeting new demands and GDPR (General Data Protection Regulation) was legislated in the EU in 2016 to answer new problems. Member countries were given a period of two years to alter their domestic regulations and make them compliant with the new obligations. It did not only affect EU member countries but also influenced many countries around the world. Turkey, for example, adopted GDPR's most parts and created an almost identical domestic regulation on personal data protection.

Personal Data Protection and Right to Be Forgotten

The relationship between GDPR and the right to be forgotten is strict. It is not possible to mention the right to be forgotten without referring to personal data protection. The legal logic behind both of them is almost the same. Both rights are based on human dignity and the right to privacy. While the right to be forgotten leans towards a more specific area of personal data protection, it still seeks to protect the privacy and human dignity.

By making data removed from sources available to the public, an important contribution to the protection of personal data would be made. However, it has some very important features compared to routine processes related to GDPR. In most processes, GDPR protects persons' data when data is given to a company within the relation of a consumer or employment relationship. For example, when a person buys something from an e-store, certain data such as name, age, etc. would be given to the e-store. The relationship regarding this transfer of data would generally be based on how long data can be stored, with whom data can be shared and for which reasons data can be kept. The nature of such a relationship is more specific to the needs of a company, and data is usually kept secret on the database of the company.

Right to be forgotten differs from routine applications of GDPR in the sense that it usually comes into question when the particular data is reachable to everyone who has access to the internet. As mentioned above, the subject of GDPR is usually data that is constrained in a more limited space within the discretion of the data controller company. When the data controller turns out to be a search engine, data becomes available to everyone who has access to the internet. While GDPR even regulates the sharing of data to even a single third person or even the employees of the data controller company, the processing of data online make data available to everyone. This proves that the right to be forgotten is a crucial branch of personal data protection law.

The right to be forgotten is also different from routine personal data protection in another sense. Again due to the scope of people who can reach data online, certain legal norms come into question. The most important of them is the right to free speech. In routine applications of GDPR, the right to free speech does not usually come into question. Of course, some cases also interfere with freedom of expression, but most of these cases are about the right to be forgotten. The clash of the norms right to free speech and right to be forgotten is very common and constitutes the most fundamental problem to the right to be forgotten. For instance, when a newspaper has an online article that includes personal data of a former criminal, an examination on whether the right to be forgotten of the criminal who had completed his/her sentence or the freedom of expression of the newspaper prevail is a question that needs to be answered in every case.

Turkish Data Protection Authority's and Supreme Court's Views on Right to Be Forgotten

Data protection regime is a hot topic also in Turkey. Turkish Data Protection Authority concluded an investigation on 23/06/2020.4 TDPA demonstrated its approach to the right to be forgotten and provided an outline about it. The opinions of TDPA are generally in line with the European approach to the subject. TDPA defined right to be forgotten as; "an individual right to demand blocking access to correct information which had spread lawfully in the past and because a certain amount of time has lapsed."

TDPA stated that the right to be forgotten was already present in Turkish law even before Personal Data Protection Law was legislated. A Supreme Court decision5 dated 03.03.2016 and which was about a demand of an individual's request to block access to genuine news about him which was published 14 years ago, was highlighted. Turkish Supreme Court had tried to seek a balance between freedom of expression and the right to privacy and concluded the latter prevailed over the other.

Although an explicit provision regarding the right to be forgotten was not present at the time of the case, the Court used some relevant clauses to support its argument. Article 20 of the Constitution that regulates the right to privacy was used, and the Court decided the current situation was in direct violation of the Constitution. Articles 4,7, and 11 of Data Protection Law, are about the principles governing the processing of personal data, erasure or anonymization of personal data, and the rights of the personal data owner. In light of these regulations, the Court decided that the causes for processing data ceased to exist hence the data owner could demand an erasure. The Court claimed that search engines were data controllers in the sense that Article 3 of LPDR states because they set the purposes and tools of processing personal data.

The approach of the Turkish Supreme Court is very similar to that of the European institutions. Since the Personal Data Protection Act is almost identical to the GDPR and is taken from the GDPR, this is not surprising. It can be said that the European approach to the issue was also adopted by the Turkish authorities.

Conclusion

The technological transformations affect almost every single field on earth. As a result, the law also transforms itself in order to catch up with the speed of change. Since technological innovations have made data more accessible and easy to distribute, concerns over the processing of data have become more of an issue. The most major outcome of this change for the law is the new regulations that aim to create a safer environment for persons. GDPR and the right to be forgotten stands as the two new concepts which will be much more prevalent in the coming years.

Footnotes

1. https://www.forbes.com/sites/danielfisher/2015/10/08/the-aristocratic-roots-of-the-european-obsession-with-privacy/?sh=24f249932de7

2. Google Spain, Google Spain SL and Google Incorporated v Agencia Española de Protección de Datos ('AEPD') and Costeja González, Judgment, reference for a preliminary ruling, Case C-131/12, ECLI:EU:C:2014:317, ILEC 060 (CJEU 2014), 13th May 2014, Court of Justice of the European Union [CJEU]; European Court of Justice [ECJ]; European Court of Justice (Grand Chamber)

3. See European Privacy Requests for Search Removals, GOOGLE TRANSPARENCY REPORT (Mar. 8, 2014), http://www.google.com/transparencyreport/removals/europeprivacy/?hl=en.

4. 2020/481

5. 2013/5653

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.