Even facts and events that took place before the Internet age are affected: the paper archives of newspapers or other libraries are being digitized and put online. This means that “forgotten” events can resurface and catch up with those affected many years later. This loss of control can have unpleasant consequences for the person concerned. Right to be forgotten service Information given in a certain context can be used for completely different purposes. For example, an anecdote or trivial matter published intentionally or unintentionally on the Internet can one day harm the person concerned.
The Internet knows no borders. The information is not only disseminated worldwide, it is precisely this international aspect that makes it very difficult for those affected to assert their rights. Complex procedural questions arise, such as jurisdiction and applicable law. In view of the development of new technologies, the duplication of data, the differences in data processing, the legislative and procedural hurdles, implementing the right to be forgotten on the Internet is a major challenge.
The solutions
Solutions must therefore be found that keep pace with technological developments while protecting the dignity of those affected and the right to privacy, including on the Internet.
Technical solutions
At the technical level, strategies can and must be developed that enable effective control of personal data by those affected. “Privacy by design” (protection of privacy during development) and “privacy by default” (data protection-friendly default settings) should become standard in our opinion. “Privacy by design” means that the protection of privacy and right to be forgotten help personal data is already included in the development of new technologies or applications and maintained throughout the entire life cycle of a specific technology. “Privacy by default” means setting up confidentiality parameters that you can choose for any online service. The aim is to prevent that data is (re)used abusively or for purposes other than those to which the data subject originally consented. This means that the express consent of the person concerned must be obtained for every data processing.
It is also necessary to encourage webmasters not to index their websites (or part of them) and to encourage search engine providers to revise their way of working or their indexing system, for example by providing an online non-indexing procedure.
Legal Solutions
The applicable federal law on data protection (DSG) only lays down general principles (expediency, proportionality) and basic rules. If there is no (longer) justification for data processing, the person concerned can assert their right to rectification and their right to object (to the person responsible for data processing) (Art. 12 and 13 DSG). If this approach does not lead to the desired result, it can file a suit with the civil court in accordance with Article 15 DSG and, in particular, demand that the data processing be blocked, that no data be disclosed to third parties or that the personal data be corrected or destroyed. The Federal Data Protection and Information Commissioner (FDPIC) can perform advisory tasks and, under certain conditions (especially if a large number of people are affected), carry out clarifications as part of his supervisory work.
As already explained, it is often difficult in practice to enforce the right to be forgotten or to object. It is therefore necessary to expand the rights of data subjects and to impose stricter obligations on those responsible for data processing. To this end, the principle of proportionality can be specified and “privacy by design” and “privacy by default” can be declared binding for all products and services on the market.
A revision of the existing legal framework is being discussed at European level (the applicable directive dates back to 1995). This revision is intended to take into account the development of new technologies, increasing digitization and internationalization (globalization). The new European regulation aims in particular to increase the effectiveness of data protection, with the right to be forgotten being a central concern. We are following the discussion closely because the solutions adopted by the EU are exemplary for Switzerland and should be included in the revision of the gdpr case studies.