A businessman, whose "right to be forgotten" request was denied by Google to "defend the public's right to access lawful information", has filed a lawsuit in the high court in a bid to make Google remove online references to his criminal past.
The businessman was convicted in the late 1990s for his role in a business malpractice that had garnered widespread condemnation, including in parliament. Having served his sentence, he now wants any online references to the conviction to be removed so that his past does not affect his relations or his business interests. The online references in question are several search results that link to old news articles on his conviction.
However, Google is contesting his right to be forgotten, stating that he can not "rewrite history" or "tailor his past". The company added that the business malpractice he was involved in was "serious and sustained" and "involved deceptive and misleading criminal practices".
The company said it reserves the right to not honour "right to be forgotten" requests if it feels that an individual's right to privacy does not outweigh the public interest in the existence of such information in the public domain. According to a judgment delivered by the European Union's court of justice in 2014, right to be forgotten can be exercised only if the data that an individual wants removed is irrelevant or outdated.
Commenting on the question of an individual's right to be forgotten and the public's right to access lawful information, Ralph Echemendia, known to many as "The Ethical Hacker" and CEO of Seguru, says that while selective disclosure of personal information is considered by many to be a basic human right, the public's “right” to access “lawful” information is not a human right, but is being used as a defence by Google's legal team.
"Law and regulation is usually ten years behind the use of technology and in many cases not necessarily in the interest of the individual. Legal does always not mean ethical. It's also important to consider that in today's cloud-based environment, your information is no longer stored on just one hard drive, but in many across the world. This means many different laws could be applied to this data, not just those that are in place in the country in which the company is headquartered," he says.
"With GDPR kicking in this year, it will certainly be very interesting to see if the regulations coming into force will help or have a detrimental effect on our privacy."
While it is for the courts to decide if an individual's right to be forgotten is supreme and not subject to the public interest, what is more pertinent is whether today's companies are equipped enough to honour such requests, considering that a landmark data protection law that expressly allows such requests to be made, is less than three months away.
"If companies can't identify where their data resides in order to remove it from their sites, they risk the enormous fines that come as part of the GDPR deal. Google of course have the might to take on contentious ones like this, smaller companies will struggle and be forced to remove data even if they don't agree," says Jes Breslaw, director of strategy for EMEA at Delphix.
“The proliferation of data means that copies of personal data are scattered across an organisation. In order to remain in line with the right to be forgotten and GDPR, companies need to know where this data is stored in the first place.
"In reality, 90 percent of a company's data sits in test, reporting, analytics and backup systems, which makes it incredibly hard to track and trace. Therefore, it's more important than ever that companies have the right technology in place to help them identify and remove sensitive data," he adds.
Breslaw adds that there are technologies available that enable firms to create a comprehensive library of data sources using which they can pinpoint exact locations of certain data, whether on-premises or in the cloud. By using such technologies, companies will be able to honour "right to be forgotten" requests in a timely manner and thereby avoid huge fines under the GDPR.