Right to be Forgotten: Privacy Protection or Track Record Deletion?

December 24, 2022 1:12 pm || By

Author: M Irfan Dwi Putra
Editor: M Perdana Karim

The House of Representatives officially passed the Personal Data Protection Bill on September 20, 2022. The passage of the PDP Law became a significant step related to protecting personal data in Indonesia after a lengthy legislative process since 2016.  It also brings new hope for the citizens regarding the security of their personal data since data breach cases have been increasing recently.

If we look closely, there is one interesting concept in this PDP Law: the right to be forgotten. The right to be forgottenis part of the right to privacy that makes someone can delete information related to themself that violates their privacy space permanently. In the digital space, the right to be forgotten allows someone to request the erasure of their data to the electronic system operator.

The idea of the right to be forgotten originally came from the case of Google v. Agencia Espanola de Proteccion de Datos and Mario Costeja Gonzales in 2010. A Spanish businessman named Mario Costeja felt aggrieved by information from the La Vanguardia newspaper about his bankruptcy in the past. The information appeared on Google’s page when anyone entered his name into the search engine. Mario then asked Google to remove the information, which Google subsequently denied. This rejection then proceeded to the EU Court of Justice, which resulted in a landmark jurisprudence for the implementation of the right to be forgotten.

In its decision, the EU Court of Justice established a new norm that states that everyone has the right to request the erasure of their information if the information is deemed to be inaccurate, irrelevant or no longer relevant, or over-loaded. This norm was later adopted in Article 17 of the EU General Data Protection Regulation (EU GDPR), which is referred to as the right to erasure.

The concept of the right to be forgottenraises controversy in the community. On the one hand, it protects a person from personal information that violates their privacy. While on the other hand, this right could be abused by an irresponsible party. For example, in a few years, Google has granted requests for the erasure of several articles containing information about individuals involved in terrorist crimes. By that example, we know that this concept can be used by criminals to erase their criminal records.

In Indonesia, the concept ofthe right to be forgotten appeared before the PDP Bill, precisely in Article 26 paragraph (3) of the Amendment of Electronic Information and Electronic Transactions Law 2016. It is said that:

“Each Electronic System Operator shall delete any irrelevant Electronic Information and/or Electronic Documents under its control at the request of the concerned by court order.”

This provision expands the scope of the right to be forgotten,which deals not only with personal data but also with other contents. Though, the right to be forgotten must be explicitly applied only to personal data to minimize its misuse potential. Many parties criticize this provision because it is considered irrelevant and will give rise to cases of abuse as previously described.

The right to be forgottenis then regulated extensively in the PDP Law. The regulation contains the rights of personal data subjects, the obligations of the personal data controller, and the terms, and general procedures for deleting or destroying personal data. Furthermore, the law also regulates the deletion or destruction of personal data when the retention period has expired.

Similar to European cases, implementing the right to be forgottenin the PDP Law will cause pros and cons in the community. There will be resistance to this concept because it can be an opportunity for criminals to erase their criminal records. A human rights violator may request that information regarding his past crimes be removed so that people will not know about it.

In summary, the right to be forgottenis a concept that should be appreciated because this concept intensifies the protection of human rights related to the right to privacy. However, detailed regulation is needed so that the right to be forgotten is not misused for particular interests. Hence, the government needs to create derivative norms that regulate in detail and restrictively the categories of personal data that can be erased, procedures for erasing personal data, and exceptions in practice. Thus the right to be forgottencan be applied to protect and guarantee citizens’ privacy without causing other losses.

[1] Furchtgott-Roth, H. and Arner, K. (2020) Europe’s Right to Be Forgotten’ Threatens Free Speech. Available at: https://www.hudson.org/research/15729-europe-s-right-to-be-forgotten-threatens-free-speech (Accessed: 22 September 2022).

[2] Ghezzi, A., Pereira, A., and Vesnic-Alujevic, L. (eds.) (2014) The Ethics of Memory in a Digital Age: Interrogating the Right to be Forgotten. London:Palgrave Macmillan.

[3] Jones, M. (2016) Ctrl + Z: The Right to Be Forgotten. New York:New York University Press.

[4] Mkadmi, A. (2021). Archives in The Digital Age: Preservation and the Right to be Forgotten. Hoboken:Wiley.

[5] RFQ (2016) Penerapan ‘Right To Be Forgotten’ dalam UU ITE Dinilai Tak Relevan. Available at: https://www.hukumonline.com/berita/a/penerapan-right-to-be-forgotten-dalam-uu-ite-dinilai-tak-relevan-lt5819a7f60728c (Accessed 22 September 2022).

[6] Wolf, C. (2014) ‘Impact of the CJEU’s Right to Be Forgotten: Decision on Search Engines and other Service Providers in Europe’, Maastricht Journal of European and Comparative Law, 21(3), pp. 547–554.  DOI: https://doi.org/10.1177/1023263X1402100308.