ArticlePDF Available

Balancing between Right to Be Forgotten and Right to Freedom of Expression in Spent Criminal Convictions

Authors:

Abstract

Being two distinct fundamental rights, the coexisting state of the right to be forgotten and freedom of expression has already been confirmed by the competent authorities through balancing in situations when they collide. The paper focuses the balancing apprehensions concerning spent criminal conviction data while considering Google Spain ruling and the General Data Protection Regulation (GDPR) primarily for analysis. From the Google Spain ruling till the development of the GDPR, the balancing apprehension has already seen another generation resolving conflicting issues derived both from statutes and case laws. Though lawful authorities stepped into easing the tension between different elements of the two rights, it has been seen that the outcome of balancing intellection depends on the application of diverse norms and principles. The contemporary principles in balancing the rights of spent criminal conviction datum have been identified in this paper which needs to be enhanced carefully in the future towards a more privacy-friendly atmosphere to envisage the need of data-driven Europe and to upheld the right to be forgotten of spent criminal convicts.
Received: 12 September 2020 Revised: 11 February 2021 Accepted: 18 February 2021
DOI: 10.1002/spy2.157
RESEARCH ARTICLE
Balancing between Right to Be Forgotten and Right to
Freedom of Expression in Spent Criminal Convictions
Kamrul Faisal
Department of Law, University of Turku,
Turku, Finland
Correspondence
Kamrul Faisal, Department of Law,
University of Turku, Turku, Finland.
Email: kamrul.k.faisal@utu.fi
Abstract
Being two distinct fundamental rights, the coexisting state of the right to be
forgotten and freedom of expression has already been confirmed by the compe-
tent authorities through balancing in situations when they collide. The paper
focuses the balancing apprehensions concerning spent criminal conviction data
while considering Google Spain ruling and the General Data Protection Reg-
ulation (GDPR) primarily for analysis. From the Google Spain ruling till the
development of the GDPR, the balancing apprehension has already seen another
generation resolving conflicting issues derived both from statutes and case laws.
Though lawful authorities stepped into easing the tension between different
elements of the two rights, it has been seen that the outcome of balancing
intellection depends on the application of diverse norms and principles. The
contemporary principles in balancing the rights of spent criminal conviction
datum have been identified in this paper which needs to be enhanced carefully
in the future towards a more privacy-friendly atmosphere to envisage the need
of data-driven Europe and to upheld the right to be forgotten of spent criminal
convicts.
KEYWORDS
balancing, Google Spain, principles, privacy, processing, solicitation, spent convictions
1INTRODUCTION
The English philosopher John Locke considered “trust” and “prestige” as the two elements that humans consider the
most based on which humans instinctually manage themselves to lead the emersion of the self-concept.1Because of the
Internet, the information is so willingly obtainable which remains online permanently, facilitates a permanent slandering
on someone’s reputation2which makes hiding from the past mistakes an implausible event since an indefinite amount
of data can be achieved by inputting the data subject’s name in a search engine,2(p. 352). The phenomenon of forgetting
is an anomaly nowadays3,4 since personal data is just one click away in Google search. The problem occurs when a par-
ticular information brings an adverse impact on someone’s life by bringing facts to light. Facts might be parts of social
media, news, archive, or any other website directed through hyperlinks. The conflict of interest happens when someone is
accessing, receiving or disseminating those facts while exercising his or her legal right to freedom of expression and other
This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the
original work is properly cited.
© 2021 The Authors. Security and Privacy published by John Wiley & Sons Ltd.
Security Privacy. 2021;e157. wileyonlinelibrary.com/journal/spy2 1of14
https://doi.org/10.1002/spy2.157
2of14 FAI SAL
person of whom the information is concerned, while exercising another legal right, trying to hide them for good which is
the essence of right to be forgotten, an aspect of personal data protection enactment within European legal system.
With the advancement of communication technology, the traditional concept of making, accessing, and managing
records have been seen to shift from paper-based format to electronic format which can be available in a public networked
environment. That is why the striking balance between the two rights is more difficult, demanding, and challenging.5
Before jumping into balancing the conflicts between the two rights, little apprehension towards their relationship is
necessary for better understanding their positions in a democracy. Chief justice Beverley McLachlin set a precondition
for functioning a democracy properly in today’s complex world which is to protect two particular rights, namely, the
right to access to information and the right to privacy.6Empowered by Article 19 of the Universal Declaration of Human
Rights (UDHR)7and International Covenant on Civil and Political Rights (ICCPR),8again, Article 10 of the EU Charter
of the Fundamental Rights (the Charter)9and the European Convention on Human Rights (ECHR),10 right to freedom
of expression or right to seek or access to information into all public documents has received a strong recognition as a
human right. Right to information from the government is seen to be an element of a democratic society11 as it is backed
by the consent of the citizens who desire to be informed of government activities and thus, put check and balance in
place for countering abuses, enforcing rights and so on.12 Besides, privacy is understood as the core of individual auton-
omy which is responsible for developing individual dignity.7Article 12 of UDHR, 17 of the ICCPR, 7 of the Charter, and
Art. 8 of the ECHR, altogether establish strong and broad privacy right by prohibiting illegal interference with anyone’s
private and family life, reputation, and honor. Personal data protection right occupies a smaller portion within the broad
ambit of privacy law which aims to protect the right holder from a third party (natural or legal person) interferences.5,11
Besides, the proper safeguard of personal data is connected with citizen’s confidence and trust6and that is why the Gen-
eral Data Protection Regulation (GDPR)13 (Art. 1 (2)) protects natural persons’ fundamental rights, for example, right to
be forgotten (Art. 17) related to the protection of personal data. That indicates both the rights are distinct and respon-
sible for protecting different interests. With the enforcement of the Lisbon treaty, both the rights attained the status of
fundamental human rights within the European legal system.11 Though their positions are distinct and different, they
may collide or overlap at some particular points where access to information can be restricted lawfully if public records
include certain personal data11 such as matters related to unauthorized access to criminal records, journalists looking for
stories, individuals requesting access to public registers or social programme records, companies looking for commercial
data, academics looking for research data and so on.12 Ultimately, the right to access to information and right to personal
data protection overlap with each other to some extent. At that point balancing becomes inevitable by upholding the truth
and suppressing the guilt as it must not be forgotten what the legislation aimed to protect.
Going back to striking balance, the big question is whether the right to be forgotten, hereinafter referred to as RTBF,
can be considered as one of the restricting grounds of the right to freedom of expression since both are fundamental rights
under Art 8 and Art 11 respectively of the Charter of the Fundamental Rights of the European Union9and have been
seen to override each other. The phenomenon suggests that there is no standardized practice of establishing a definite
norm since it is required to be balanced against the competing rights.14 To put it differently, the accessors expect to be
successful in accessing any publicly available information but they can be empowered to do so while protecting privacy.6
From the origin of the right to be forgotten, the primary issue which has been seen is the balancing efforts between
this privacy right and other public rights since the primary right for personal data protection is not an unconditional right,
rather, its societal function also has to be taken into account according to the norms of the principle of proportionality and
Union common interest to meet its objectives to protect others’ rights and freedoms.14 After getting recognition from the
GDPR,13 the right to be forgotten found its strong base, in which public right to freedom of expression has been prescribed
as one of the reasons for limiting the right to be forgotten. (Art 17 (3)(a)).13 So, balancing is inevitable. Even the European
Court of Human Rights hereinafter referred to as ECtHR and the Court of Justice of the European Union, hereinafter
referred as CJEU, stressed multiple times that when applying privacy rights under Art. 8 of the European Convention on
Human Rights,13 hereinafter referred to as ECHR, and Art. 8 of the Charter,13 a balanced proceeding with other rights is
indispensable.15 The balancing mechanisms between privacy and publicity rights, most relevantly, between the right to be
forgotten and the right to freedom of expression gave birth to those relevant balancing principles, which are responsible
while determining whether the right to be forgotten would be allowed or not. In this regard, understanding the gradual
development of conflicting issues between these two rights is extremely important to understand the balancing points
derived from different viewpoints of the Union law.
The scope of this paper is limited to balancing apprehensions between the right to freedom of expression and the
right to be forgotten and it limited the discussion within spent criminal conviction data. For this paper, the term “spent
criminal conviction data” essentially refers to those data which refers to the data subjects who already have carried out
FAI SAL 3of14
their sentences through reaching the set period and the data has been erased following the lawful procedure, viz, under the
English Rehabilitation of Offender’s Act 1974, or non-habitual trivial offense records, or any offense which happened in a
moment of madness’ that does not belong to the character of the offender which happened once and a long time ago. Thus,
the debts are paid to society for their faux pas. Furthermore, the balancing task is carried out primarily based on the Google
Spain ruling and different provisions of the GDPR. Last but not the least, the reader is expected to possess the minimum
knowledge necessary to build the basic concepts of the right to freedom of expression and the right to be forgotten.
2BALANCING ISSUES DERIVED FROM GOOGLE SPAIN RULING
The Google Spain case possesses an overwhelming position in the right to be forgotten history since the judgment strength-
ened the position of the right to be forgotten in the way of delisting in 2014, just 2years before GDPR has been adopted
in 2016. Pre Google Spain initiatives proved that the right did not emerge out of anywhere, rather it was a polished ver-
sion of almost four decades existing in the European region. In 1973, a recommendation on halting unbridled hoarding
of data was found in paragraph (para.) 21 of the Council of Europe (CoE) resolution titled “Protection of the Privacy of
Individuals vis-à-vis Electronic Data Banks in the Private Sector”.16,17 Then right to erasure (RtE) provisions were found in
German and French data protection enactments in 1977 and 1978 respectively.18 It is to be noted that German law BDSG
not only defined a RtE but also categorized criminal offense data along with other types of data as “sensitive data”.18 On
the other side, French law provided a compilation of data protection rights altogether under Art. 26 of Loi Informatique
et Liberté. After that RtE was found in a paragraph in OECD guidelines of 198019 which reflected a year later in Art. 8 of
Convention 108.20 With the adoption of the data protection Directive (DPD) in 1995, RtE eventually was reaffirmed based
on which the CJEU ruled the Google Spain case.21
The CJEU in this case elaborated the right as an outright propagation of the fundamental right of data protection
under the Charter.21 This event assisted RTBF in attaining a distinctive position apart from the right to access as the
former right was always deemed as a subordinate version of the latter since its inception in the Union territory22 which is
evident in the repealed Art. 12 of the Directive.23 However, many still believe that it is still a subset of the right to access.
The court embarked to do so by relying upon certain Articles of the DPD23 and adhered to certain balancing initiatives
between the right to free expression and data protection rights under Art. 12(b) of the DPD with special reference to right
to erasure (RtE).
2.1 Tension in balancing between public access to information and privacy rights
While ruling the RtE (often referred to as a right to delist[RtD]) case, the honorable court used such languages which is
responsible to incite the controversy between penetrating information and the right to protect private data.21 The CJEU
exactly meant that since a right to erasure is not an exclusive right, it will cease to subsist unless it has been balanced
with other similar dominions such as the right to free expression or other publication rights.21 To put it differently, the
precedence of right depends on each context. In many cases, the CJEU considered it to be justified to allow access at
will to information,21 especially true under Art. 9 of the Directive 95/46 when the data is not used unlawfully and under
journalistic, artistic, or literary purposes exemption.21
The “personal data”13 remains on the web and who is to determine whether the data subject has the right to delist or
not. Because while assessing “public interest” as one of the overriding justifications of RtE, the honorable court held that
in cases where a “legitimate right to removal”13 is found, that right overrides the public’s interest in finding that particular
information on the basis of that person’s name.21 It further said in para. 81 that acceptance of an individual’s interest
in removing personal data under Art. 7 and 8 outweighs the public’s interest in accessing his or her information under
Article 11 of the Charter,21 provides an individual with a prevailing right of removal.13 Butthecourtdidnotmentionany
tangible element to prioritize between “public interest” and “right to removal” when both public and private interests
are competing, rather mentioned public figure principle under which applicant’s social position or applicant’s public
activities can generate public interest which can outweigh a right to be forgotten so easily. So, what remains unanswered
is whether any information is directed to qualify RTBF claim now, and some other subsequent information is generated
about that including all the material facts happened again will be considered as lawful or unlawful.
To add to the crisis, after GDPR came into force, another aspect pushes the controversy to another level which might
occur through data controllers like Google’s responsibility to inform the third party (who hosts the data) under Art. 17
4of14 FAI SAL
(2) of the GDPR, of any possible erasure, that the data subject apprehended and the subsequent effects caused by it.24 The
effects are essentially related to subsequent processing of the same data sought for removal. A case can be illustrated in this
regard which occurred in the United Kingdom, in which Google already delinked his previous outdated conviction data
from its database,25 and informed the host of the content where the article was published.25 Subsequently, the owner of the
webpage produced another article with the notification of Google’s removal from its search results along with the original
story from the beginning about the applicant’s conviction which drew the attention of other media websites too and ended
up producing more articles.25 However, the applicant further requested Google to delink all the article links again but
this time Google denied to do so on the ground of the news articles were new and of public interest.25 Consequently,
the applicant moved to the UK’s data protection officer (DPO) which is ICO with a data removal request. The ICO took
into consideration certain principles such as whether a public figure, nature of data, time-lapse, the detriment of the
data subject’s reputation, graveness of offense, and the involvement of journalistic material. While partially agreeing with
Google, the ICO found that the news articles as newsworthy and of public interest, the ICO further stated that the public
interest can also be mitigated without the name of the applicant which exposes him to his long spent criminal history.25
The ICO found the articles to be excessive with the purposes, pose a disproportionately detrimental effect on privacy
rights and cause the data subject anguish and ordered Google to delink the applicant’s identity from the news articles.25
So, though there is a tension between the public’s right to access information and an individual’s privacy rights, there
are also certain principles applied by different authorities that might be helpful to get a direction of balancing norms.
2.2 Tension in balancing between public right to access to archived information
and right to be forgotten
This second point of tension is derived from another lawful data processing exception which is data collection for sci-
entific, historical research, or public research purposes, and an individual’s right to delink that information. In Google
Spain, the CJEU, while supporting to determine on a case to case basis, ruled that the search engine data controllers
can be obliged to wipe the links which lead anyone searching for information against a name to the site the data is
hosted, under the DPD.25 Again, it did not outline exact elements when a request of removal of these unwanted links
shall be respected because the public’s right to access was already well established through laws and case laws but a right
to removal was not. Thus, it left tension between specific law and unspecific ruling though the processing of data for
archiving purposes in public interest, statistical, scientific or historical research purposes is allowed under Art. 6 (1)(b)
of the Directive.23
While determining RtE, the CJEU delimited the right within search only which is performed through the search
engines, not broader which means that the delinking was only effected against search engine lists while the information
remained in other places online. Indeed, the information can be retrieved by going to the direct website or even by search-
ing any other thing except the distinct name or any other identifying element of the data subject, for example, by home
or official address of the convict or other data subject’s name who did not apply for a RtE. Consequently, the RtE had not
been defined as total erasure of data, rather, mere restriction in finding the data. That is coherent to earlier critics such as
Markou’s argument who argued that forgotten does not mean a total erasure of the data.26 According to a distinguished
Internet scholar John Roberts, compared the scenario metaphorically by saying that it can be compared to making the
catalog of a library disappear, while the book is unharmed, stays in the same place in the collection.27 However, the anal-
ogy might seem to be not entirely right according to the findings of Google Spain since it more or less appearing that the
books stay, so as the catalog, just an entry from the catalog is omitted, not the entire catalog. For better fathom, even the
book remains in the exact place to say that if anyone knows the name of the author or category of the book, he or she can
find it by going to the exact place. That is why Jimmy Wales opposed in page 27 of Google Advisory Council Report 2015
which stated that the exposer’s actions “are being suppressed” and said that the report represents an exaggerated effect
of RtE,28 which is not true, in particular, not consistent with the actual effects of RtE. However, other commentators are
also available who supported the Advisory Council Report to an extent by saying that there should not be any distinc-
tion between data available in different sources such as files, archives such as newspaper, or government records which
can be found through search engine searches.28 In my opinion, data hosting and processing exponentially matters, and
it matters heavily since the government is not a private organization or institution that is driven by profitability, unlike
any other private institutions for whom making a profit is a legitimate interest in their business. That is why the CJEU
became so serious while nullifying the economic interest of the search engine operator Google in paragraph 81,21 stressed
on considering the nature of the personal data, in particular, considering the payoff of those data in data subject’s private
FAI SAL 5of14
life in and balance with the public’s interest in accessing the information.21 Of course, the data subject’s having a public
role needs to be taken into account.21
This is in pessimism to the scholars like Mayer-Schönberger29 and Bernal 30 who wanted to see a pure deletion or
erasure through a successful exercise. However, since the data is usually still available, any party with legitimate interest
for example, if any bank is considering to provide a loan and wishes to look into a bankruptcy history, then it can perform
a search by putting the loan applicant’s formal name or anything else though it is not guaranteed that it will be able to
find something even if, there is any data. To accommodate relevant legitimate interests, specific provisions in multiple
domestic data protection acts have been made to empower the relevant stakeholders to keep the balance which will be
adhered to later on. For now, the distinction in this case from the above case is in the former situation, the search example
is general, but in the latter case, a purposive search is performed. So, the ultimate balance is that total erasure was and
never supported by the Google Spain judgment, and so the history, or the data is intact online. Besides, whether the data
subject’s activities involve any public interest or not will be taken into account. According to Bernal, the judgment failed
to reach the milestone which many privacy advocates asserted to cross.30
2.3 Tension in balancing between different provisions of the Charter
According to Drummond, the CJEU prioritized the RTBF in the Google Spain case, while outlaying free expression rights
which also have a similar status in CFR, and both are considered as fundamental principles after Lisbon Treaty came into
force.31 The meaning of the sentence is clear and true to be interpreted but to some extent. Such a statement would need
to be clarified since it completely overlooks the principle of balancing under Union law. However, CFR protects the free
expression right quite vastly, in particular, it does not directly allow free expression to be hindered by an RTBF.31 But a
limit on free expression based on an RTBF can easily be accommodated through interpretation within the limitation sub
Article of Art. 11. But the real controversial point is that though individual data protection right is also ensured in CFR,
it does not entail any other ground other than consent-based processing and any other lawful way in Art. 8,9for example,
under any of the grounds mentioned in Art. 6 (1) of the GDPR, the latest procedural dictation. Analogically, it does not
purport to prioritize one right over the other, at least does not authorize to limit freedom of expression on the ground of
exercising RTBF.9It will not be excess to tell that the statute manifests equality over both the rights. To put it differently,
every provision in the Charter has its exclusive goal, for example, being a primary and substantive piece of legislation,
the Charter aims to provide control over personal data in its Art. 8 while the GDPR tends to supplement the secondary
and procedural part of it.22 But in Google Spain case, it recognized the right in concern (RTBF) in the form of delinking
to personal data over right to freedom of expression in the form of restricting right to access information. Consequently,
it remained unclear whether data protection right is prioritized over publication right such as free expression under the
CFR when the same practice is applied to a specific situation, viz, data erasure requests on behalf of the spent convicts.
Though it is true that one right cannot exist without the other, now, Article 10 of GDPR provides special protection on
data related to criminal convictions and offenses.
2.4 Post GDPR tension in balancing between GDPR and CJEU practice on privacy
rights
Right to be forgotten codified by the GDPR which can be considered as the second generation of this right as well as the
second generation of balancing regime.
Article 10 of GDPR mandates the processing of personal data with criminal offense record upon authorization of
Union or Member State law only. Recital 19 of GDPR reaffirms the protection against the processing of data regarding
criminal convictions under specific Union legal Act though this enactment does not deal with this issue in particular.
Furthermore, while outlining the derogations relating to the “archiving purposes in the public interest, scientific or his-
torical research or statistical purposes,” GDPR emphasizes data minimization because of rights and freedoms of the data
subject.13 It is to be mentioned that data minimization has been mentioned or already has the status of a monumental
principle in the data processing area (Art. 5).9To serve this purpose, pseudonymizing is mentioned as a tool so that the
data subject becomes unidentified. But in reality, maintaining consistency with Art. 10, the CJEU as an EU institution
authorizes processing through its communication by publishing its rulings in form of a press release and allowing third
6of14 FAI SAL
party processing for journalistic and public interest purposes which leaves room for tension in complying with the GDPR
concerning privacy rights.
Also, while applying the concept of personal data to be removed for the right to be forgotten application, the CJEU
limited the definition in Google Spain ruling to the name of the data subject. But in GDPR, under Art. 4 (1), the notion of
“any information relating ” broadened the scope of defining personal data in a way which undoubtedly went beyond
the notion of the name only, but to include anything possible to indicate the data subject such as a residential or official
address, any specific health condition, location data, online credentials identification or any other unique identifier. This
raised concerns of the historians, researchers, statisticians, and other relevant stakeholders of legitimate data user groups.
3FOOTSTEPS OF DIFFERENT AUTHORITIES IN UNFASTENING THE
TENSION AND THEIR SOLICITATION
This portion tends to analyze balancing approaches made by different sectors of competent stakeholders. In this section,
based on core role players such as the Court of Justice of the European Union(CJEU), European Court of Human Rights
(ECtHR), Scholarly and GDPR approaches are analyzed to identify the loopholes while discussing the approaches with
two real-life and two fictitious cases.
Easing tension or balancing the conflicting interests mentioned in the previous section can better be understood with
real-life scenarios of the victims who already spent their convictions or in a similar sense. In one prominent case, one
claimant GC requested a link to be delinked from the Internet in which she is represented satirically with the city mayor
to whom she served as a cabinet head to show the existence of an intimate relationship between them so that in the long
run, she can derive political benefits.32 The montage of the photo in question came into light when GC was running a
provincial election in which she was a candidate but ceased performing in the previous job. In the second case, ED, the
claimant, requested for delinking two articles disclosing his criminal history of sentencing 7 years imprisonment and
additional 10 years of judicial overseeing for committing a sexual offense against 15 years old children.32
Also, there are some fictitious cases which are collected from different sources, mostly based on the UK such as the
guest speeches of ICO’s Data Protection Conference33 and Unlock, an NGO that collects evidence of people who have
applied for their “search results” to be removed by Google and others but failed.34 First case is about Sonia (anonymized)
who was convicted of Arson, spent her conviction, and was doing a job at a good pace. Her previous husband decides
to destroy her after divorce and for that he prints off the newspaper article found in Google about her convictions and
threatens to post everywhere.34 Second case is about Natasha (anonymized), a school teacher convicted for 4 years of fraud
in duty. Now after spending her conviction, she is again working with a school but at entry-level. The employer informed
her about few chances of progressing due to the possibility of backlash from the concerned parents of the school children.
All these happen because her conviction article is visible online.35
Now, based on the balancing approaches derived from the CJEU and ECtHR rulings, scholarly thoughts, and the law,
the following section will try to answer a logical issue in general. The issue is that whether the scope of Google Spain
ruling demands all links connecting to the personal data to be obliterated.
3.1 Implication of CJEU and ECtHR approaches in balancing privacy rights
and freedom of expression
Easing the tension between publication right in the particular right to freedom of expression and individual data protec-
tion right in particular right to be forgotten proved to be difficult as both have to accommodate each other and coexist.
The CJEU approach in easing the tension is worth mentioning in this context because the honorable court tended to bal-
ance them in analogous dominations. Using the same mechanism might serve as derogatory grounds from freedom of
expression for privacy rights or the right to be forgotten.
In Bodil Lindqvist,36 the CJEU stated that gauge of weighing between those contradictory rights race against each
other within the ambit of the contemporary data protection enactment.36 Specifically, the contemporary data protection
law defined the scope of lawful and unlawful processing intending to prevent illegitimate processing from happening or
continuing under the native legal intellection.36 The GDPR also empowered and encouraged the domestic data protec-
tion enactments through Art. 2, 23, and 85. Art. 2 described that the Regulation extends to every automatic processing
wholly or partly, and other processing as well which involve filing system while Art. 23 empowers the Member States to
FAI SAL 7of14
formulate laws to restrict the data controllers or processors conditionally from exercising data protection rights within
their jurisdiction when the condition respects the essence of fundamental rights and freedoms which indicate balanc-
ing because the restriction is essentially associated with the values of a democratic society. Last but not the least, Art. 85
marks the needs of reconciling freedom of expression and information while vesting the responsibility in the alignment
of the Member States to align it between Art. 11 and Art. 8 of the Charter including processing carried out for journal-
istic, academic, artistic, or literary expression purposes and their derogations. To make it clearer, the effective balancing
mechanism has been outsourced in the hands of the national legislators. Again, while delegating powers, the GDPR rec-
ognized the wide variety of national divergence evolved from the DPD37 and thus, prevented the CJEU from providing
abundant primary interpretations at the EU level.38
Consequently, a remarkable number of European nations have already enacted data protection laws at the local level
to maneuver the rules and procedures of balancing apprehensions. For instance, the Federal Data Protection Act39 of Ger-
many is worth mentioning since the territory was one of the predecessors of RtE. Sections 27 and 28 of the Act allow the
processing of special categories of personal data (section (sec) 48) for scientific, historical research, historical and archival
purposes while facilitating particular safeguards such as anonymization, authoritative custody, or severance from main-
stream processing mechanism (sec. 50). Again, section 35 interestingly provides a RtE by adding to the RTBF derogatory
grounds within Art. 17 (3) of the GDPR. It enumerates that in the event of nonautomated data erasure is impossible or
if the mode of data storage and data subject’s interests in erasure lead towards a minimum impairment, the data sub-
ject is barred from claiming a RtE conditioning that the data has not been processed unlawfully, or negatively affect the
legitimate interests or the retention period has expired. In addition, to illustrate Finnish Data Protection Act,40 it has an
exclusive provision based on Art. 10 of the Regulation, in sec. 7 which particularly deals with issues relating to the pro-
cessing of personal data relating to criminal convictions and offenses which only permits processing for legal claim related
issues while allowing processing only under official and competent capacity and within a secured manner of processing
(sec. 6).40 Again, it is all about providing tools of balancing.
So, certain native legal intellections along with Art. 17 (3) of the Regulation with having the reflection of Art. 9 of the
DPD include derogatory grounds that leave rooms for the Union Members to allow processing under any of those partic-
ular principles. The purpose of providing the exceptions in the name of derogations is clearly stated in the DPD which is
to ensure the coexistence of both the rights through weighing each other in a particular situation.23 It needs to be kept in
mind that the mechanism of ensuring coexistence completely differ now and before when the DPD was operative. That
is why in the Bodil Lindqvist case, the CJEU instructed the Member States to make sure the enforcement of the weighing
mechanisms through the exercise of their freedom of approach manifested in the contemporary law.36 It further added to
show persistency while weighing since the domestic courts were expected to balance the competing rights by relying on
the primary principles set by the Union legal order.36 In addition to that the CJEU stressed in paragraph 81 to envisage
different interests in motion by considering the particular information’s impact on personal life while balancing between
privacy interest such as RtD and publicity interests such as monetary gains of the search engine, the data subject’s hav-
ing any public role or practicing freedom of expression.21 In another case before the ECtHR, the honorable court found
the necessity of unifying the approaches so that a better harmonization can be achieved through providing guidelines for
weighing competing interests.41 The judgment vigorously made it clear that none of the competing interests, in particu-
lar, individual privacy right and public freedom of expression are exclusive, therefore, both of them can be restricted if
appropriate reasons are found reconciled within the law, serve the purpose of providing rights and last but not the least
is consistent with the democratic merits of a particular legal system or the society.41
Being a privacy right, this logic can be applied to the right to be forgotten. Turning to the abovementioned case of GC
and ED, the CJEU interpreted publication or further processing of data and right to freedom of expression must exclude
the processing of sensitive or special category of information unless otherwise is expressed in the law. It is to be noted that
Article 9 of the GDPR defines special categories of data that are affiliated with expressing “racial or ethnic origin, political
opinions 32 In the case of GC, the article was associated with her political belief and orientation. Besides, the alleged
relationship was not proven which makes it an inaccurate data subject to exercise right to object under Art. 21 of the GDPR
which interfered with her privacy rights unlawfully. However, she was a public figure at the time of performing in the city
council, even at the time of the judgment she was a figure whose activities were related to the public. To put it differently,
the common people had the interest to know about her since she was running the provincial election. But the fact needs
to be brought up that, not only the accuracy of the information is questioned, but also the information was brought to
light in a crucial moment when she was running her campaign. Journalism is clearly in bad faith and to harm her public
face which was not brought any time before. Furthermore, she has not connected with her previous profession anymore.
8of14 FAI SAL
In that situation, her privacy right should be respected in the event only the information about personal relationships is
nothing but false.
Turning the situation in the case of ED who was convicted for sexually abusing children under 15 years of age. Article
10 of the GDPR forbids the processing of criminal data without the control of the official authority. Even it says that
any maintenance of criminal history database has to be under official authority. Though the law seems to be attracting a
deletion of ED’s conviction data, other factors compete to detract it. For example, the nature of the offense is gruesome.
It might become relevant to the public as long his activities include the common public in general which will necessarily
attract both journalism and public interest. For example, if at any time he starts performing duties with institutions that
offer its activities to the children, then the common people having services from that institution have a legitimate interest
in the former criminal activities associated with children and thus, the adverse impact to his personal life caused by the
availability of his data in question loses traction to grip. Undoubtedly, it can be well beyond his right to privacy and data
protection.
Now considering the presumptive case of Sonia, availability of her conviction story for arson presumably does not
fulfill any journalistic, artistic, or literary purpose anymore since the journalism purpose has been achieved already and
so unavailability after a certain time would not frustrate any of the purposes anymore. Besides, if she does not play any
public role, or takes part in any public activity then, her data attracts to be removed online to make her life easier by
not providing a weapon of malicious defamation by her ex-husband. On the contrary, the news about the school teacher
Natasha might be very crucial for journalistic and public interest purposes as she committed the crime in a position of
trust and while involved in taking care of children who belonged to common people. So, Google Spain might not attract
the situation as the public has a legitimate interest to know everything related to their children now and in the future
since her conviction was against society especially when she was vested with official duty.
The balancing methods employed by the CJEU provide some guidance on the qualification of public interest but lack
clear direction for the Member States since guidance does not cover all contemporary challenges raised after GDPR came
in force. Rather it encouraged Members to strike a balance at some point against privacy interests which was against EU
law harmonization.
3.2 Implications of scholarly opinions on balancing the rights at issue
First of all, scholars are divided in describing the reach of RTBF. Some believe that the CJEU failed to ever establish the
comprehension of GDPR, while others believe that it is the inception of the modern era of privacy rights.42 Opinions of
the scholars and advocates can be considered a great source for looking into the balancing approaches. Niilo Jääskinen,
the advocate general thinks that since the right to free expression attracts elemental safeguard within the Union legal
system,43 safeguards must be taken from putting the primary responsibility of shifting the balancing approaches to the
data controllers such as the Internet search engines43 or other data controllers, in particular, in cases of erasing a data
or deciding right to be forgotten cases, though responsibilities have been vested upon the controllers under Art. 17 (2) of
the GDPR. He again tended to reaffirm the strong respect of freedom of expression in the EU while his concern about
delivering discretion to search engine companies to decide whether data subjects will be allowed to have their right to be
forgotten or not. In a nutshell, the Advocate General is particularly concerned about the greater power vested on the data
controllers to take initiatives in balancing complex competing rights since great power demands greater responsibilities
and the data controllers can err in disposing of their responsibilities for so many logical reasons, for example, trying to
avoid detrimental legal consequences anyway, exploiting more for their legitimate profit interests and some others.
Besides, Advocate General Szpunar opined in his opinion on case C-136/ 17 that the settled case laws of the ECtHR
think that the ability of the Internet in terms of providing data storage and communication is outstanding which essen-
tially provides enhanced access to the public to news and other information and thus, simplifying the publication of all
types of information in general.44,45 He further added that the ECtHR ruling not only applies to the data retained through
the Internet but also to the ways and means through which it is communicated or sent or received.46 However, while
analyzing his opinion, he stressed the fact that the journalism factor used by the journalists and the listing priorities
performed by the search engines are completely different.
Again, while noting about balancing between public and private rights, Lindsay stated that it is possible under the
GDPR to show and interpret that the privacy interest of the individuals can poise the opposite interest of the common
people.47 The GDPR, the reformed version of the DPD, limits a right to be forgotten when limitations are plausible for
FAI SAL 9of14
“journalistic, artistic, or literary expression, for protecting the public interest in public health, or for historical, statistical,
or scientific research purposes”.13
While perceiving disclosure of personal information as governmental and nongovernmental, Jacobs and Larrauri
stated that the European countries foster the protection of one’s privacy through protecting honor and dignity from both
types of disclosure.48 They added that the disclosure of particular information may lead to the violation of privacy rights
irrespective of the information’s being true or spurious since the EU legal systemnever focused on a piece of information’s
being right or wrong, rather, in the event of communication turns detrimental for others’ image, the focus is drawn on if
the processor of the data or the correspondent has a right to reveal the information or not.48
Turning into both real-life and fictitious cases, the majority of scholars indicate that GC, ED, Sonia, and Natasha
all can either qualify or disqualify a claim of right to be forgotten depending on so many factors. The most commonly
overlapping opinion is that right to access information merits particular protection in the EU. On the contrary, historians
such as Antoon De Baets opined that the scope of derogation from the right to be forgotten should expand to all forms
of expression. However, in my opinion, the latter opinion suggests no existence of the right to be forgotten and against
coexist principle which is contradictory and obsolete with the Union legal system.
3.3 (Dis)Harmonization through GDPR in pre-established rule of allowing
the Member States to strike a balance
The 1995 Directive along with CJEU’s empowerment provided the Union Member States with the freedom to choose
appropriate approach according to their every domestic adherence to ensure the balancing between the rights in the event
of there is a lack of synchronous guidance under the law, caused disharmonization in the EU law. According to the high-
est court, Art. 13 of the Directive made the Member States free to formulate their legislative acts to indicate the limitation
of people’s right to information.49 Besides, the CJEU stressed State involvement in performing the balancing tests. Bodil
Lindqvist and Satakunnan Markkinapörssi have been discussed already above in this context. The CJEU confirmed in
Bodil Lindqvist that the functionality of balancing between concerning fundamental rights are executed from the domes-
tic enactments of each Member State which is responsible for redacting the Directive.36 This is however confirmed again
in another case in which the CJEU provided broad discretion to the Union Members to take into account their culture
and tradition for construing the rules and procedures in balancing rights.48 Now, with the enforcement of GDPR, harmo-
nization is achieved through the direct effect of this law. Consequently, it is assumed the frustration of disharmonizing
derived from the Directive and established by the CJEU waved remarkably.
Hence, one of the greatest obstacles is that only one right has been recognized as one of the overriding justifications
over the right to be forgotten that is right to freedom of expression and information.47 As RTBF has already been recog-
nized by the CJEU and is one of the privacy rights, the balancing mechanisms between privacy rights and freedom of
expression can be a tool for now to overcome the situation. In this matter, GDPR’s method for choosing between com-
peting rights does not differ from those employed by the case laws though Recital 19 and Article 10 of the GDPR jointly
mandate individual’s protection against the processing of data regarding criminal convictions and offenses under specific
Union legal Act which derives its objective to balance. Recital 153 also supplements the statement since it also empha-
sizes reconciling the data protection provisions with freedom of expression in audio-visual fields, and maintaining news
libraries and archives.13
Turning into the cases, GC and Sonia deem to be awarded her right to be forgotten under GDPR since any of the
overriding conditions of their right to be forgotten is presumably not satisfied. Even if, it becomes necessary for free-
dom of expression or journalistic or archiving purpose, then using pseudonyms would respect her rights and freedoms
through data minimization under the GDPR data processing principle under Article 5 (1)(c).13 Again, in the case of ED
and Natasha, for sake of public interest, journalism, and archiving; these cases might not attract the right to be forgotten
since the public’s right to access information is necessary. People have a legitimate interest to know on whose hand their
children are being educated and raised. However, other competing interests will have adhered to the upcoming sections.
4CONTEMPORARY PRINCIPLES OF BALANCING IN MOTION
To summarize, the fundamental rights must be weighed against each other so that they can co-exist together. In that case,
the highest Court showed greater importance particularly on weighing the legitimate interests of the public in a piece of
10 of 14 FAI SAL
particular information sought.21 For this reason, elements responsible for making a person a public or private figure and
what activities fall within the scope of public needs to be discussed as one of the implicated principles in another paper
along with the elements of other principles which is not a subject matter of this paper.
Analyzing the previous discussion, it is ascertained that balancing between the right to freedom of expression and the
right to be forgotten comprises balancing of multiple connotations. The substances are sometimes mentioned directly
in law and sometimes derived from CJEU and ECtHR cases, and scholarly opinions. Ensuring proper balancing proved
to be a herculean task due to several reasons among which the most important is that the principles are dynamic and
function differently on a contextual basis. Though RTBF strengthened its position in the guise of delisting right in CJEU
Google Spain ruling, it is materialized for the first time in GDPR altogether. Now, we will turn into identifying the active
principles of balancing between RTBF and the right to freedom of expression.
4.1 Lawfulness and unlawfulness of processing
The vagueness in the balancing principle is analogously persisting under CFR and GDPR when it comes to the spent
convicts. On one hand, traits between Art. 8 (right to respect private and family life) and 11 (right to freedom of expression)
of the CFR remains in discomfort though the matter has been discussed in the earlier part of this paper. On the other hand,
Art. 10 and recital 19 of GDPR, vests responsibility on the data controllers to process data related to criminal convictions
or offenses only under official authority like the Data Protection Officer. But being a primary and substantive source of
law,22 Art. 11 of the CFR allows exercising freedom of expression regardless of any frontier and public authority which
clearly shows the complexity of determining the lawfulness of the processing. Depending on the matters and principles
at issue, it is clear that it is a matter of contextual determination only which has to be performed in compliance with the
motives and provisions of the law.
The processing principles exercised by the CJEU, ECtHR and GDPR can be construed towards striking balancing
mechanism through a gradual developmental framework. Because one thing is common among all the undertakings
which are per law or the grounds of the lawfulness of data processing. While setting out the parameter of lawfulness,
the CJEU introduced terms like “inadequate, irrelevant, no longer relevant, excessive with the purposes of processing.”21
Besides, both CJEU and the ECtHR legalized processing for archiving data for public use in the conduction of scien-
tific or historical research. Public protection is adhered to by allowing processing on the ground of exercising freedom
of expression too. And public rights are protected if that is consistent with the principles laid down by the law, meets
the objectives of fundamental protection, and comports with the values of a democratic society. Now, the provisions
of the law are clear with the enforcement of GDPR which defines the scope of the lawfulness of processing in its spe-
cific Articles. However, in construing the principles of case laws derived from both CJEU and ECtHR in collaboration
with the GDPR, certain principles abrogated with the enforcement of GDPR which were appointed during the Direc-
tive regimen. For example, while prioritizing between public and private interest: both the instruction and discretion
of the Member States to adopt national provisions following personal social values and traditions are presumed to be
eroded and ousted.
GDPR only broadened the scope from search engine to controller but did not architect any design defining who is
responsible to cross-check these balancing enforcements which should be efficient enough to respect the right to privacy
and personal data of spent convicts in each case. Maybe this is to accommodate the best practice to adopt which would
suit to confront the upcoming issues and challenges.
At this moment, though GDPR might be the hegemony of related lawfulness of processing, it lacks to stir the proper
balance well with special reference to the spent convicts. It can be said for now that the ruling started filling the gaps
through outlining principles, more needs to be done after the expansive provisioned enforcement of GDPR to keep data
protection in the spirit which is intended to discuss thoroughly in another paper.
4.2 Countervailing public and private interests at stake
In terms of the apex court, it failed to formulate a test to prioritize public and private interests when both inter-
ests are competing in the same litigation. This problem is still lurking especially after GDPR’s allusion of freedom of
expression as one of the derogations to the right to erasure. It would be reasonable to say the right to freedom of expres-
sion would remain backed up like an antecedent. Express derogation from erasure on the ground of free expression
FAI SAL 11 of 14
supports that claim while it is also true that according to Art. 85, balancing between the rights is one of the objectives
of the GDPR.
Here the potential clash is again visible because GDPR mandates the right to exercise freedom of expression and
information as one of the derogations of the right to be forgotten under Art. 17 (3)(a) of GDPR. According to Recital 19
and Article 10 of GDPR, one of the objectives is to protect the basic freedoms and rights of the convicts. Additionally, Art.
10 (2) of ECHR outlines the protection of reputation and rights of others as one of the reasons for restricting freedom of
expression. So, as long right to erasure or to be forgotten has the effect of protecting other’s reputation and rights, balancing
becomes inevitable since it might impose a restriction on freedom of expression which is not ensured comprehensively
because certain tensions are yet to be eased for better fathom. In this matter whether the present legislation encourages
the removal of information needs to be discussed in the next paper.
Also, to prioritize free expression right over RTBF, the Spanish Tribunal Supremo (Sala de lo civil) formulated a
justification test for determination through certain judgments. Being truth, newsworthy, and germane are the con-
stituent elements of the so-called justification test.50 First, the processing is deemed to be justified even if particular
information is detrimental if the information concerned is true or the data is the outcome of someone’s rational effort
of determining the truth, or it is revealed in good faith. Second, newsworthiness is another criterion for acceptable
processing which is required to have connected with public opinion or public interest. However, a tendency of elab-
orating the term “newsworthy” is visible to have a broader interpretation nowadays comparing to the past which
facilitates news media to have expansive leeway in publishing criminal history through the publication of any crim-
inal database or any criminal database related to a specific case is not allowed. Last, it has to be studded with a
news story that has been published earlier and needs to be published or processed to form an important part or
complete the story.
To make it clearer, neither distinction between acts of public interest and private interest, nor acts that fall within
the ambit of those two competing interests have been expansively revealed yet though in Google Spain it is said that any
work related to the public lies within the public interest. But the reasons are unclear on why the public motivates their
interest in an act that is private. So, what are the factors which make certain acts or certain personalities public? or is
the term “public interest” have flaws in itself since it is so generic? These are convened neither in any case law, nor in
GDPR though both the GDPR and some of the case laws mention some of the components in some names associated
aimed at journalistic, research, historical, and archiving endeavors, but did not categorize directly between public and
private interests. The same goes with the principles responsible for the construction of public and private individuals: by
character or by activity? So, matching the balancing puzzles through discussing the evolving norms of both the public
and private interests is necessary to see whether balancing is moving towards a more privacy-friendly environment or not
which will be adhered in the next paper.
4.3 Achievement of purpose doctrine
The terms used by the honorable CJEU in Google Spain stating “inadequate, irrelevant, no longer relevant, excessive
with the purposes” of processing indicates that there is a point when the purpose of the processing is achieved. To
illustrate the purpose achievement doctrine: for instance, when a person is convicted of assault and battery, it can be
assumed that after a certain period, the news or information becomes irrelevant to continue processing for journalistic
or any other overriding purpose which means that further processing might be performed only for detrimental pur-
poses on behalf of the concerned individual’s privacy. It also might be the case where limited processing of the data
continues, for example, if the case is being appealed and the previous data is being referred in situations where issues
reemerge. The purpose achievement situations are seen in Google Spain where the court judged against further process-
ing in fulfillment of the purpose. Even purpose limitation has now become one of the fundamental principles of data
processing in the EU. Data with special reference to data related to spent convictions and offenses are not allowed to
process without consent or authority. However, there are justified grounds when data continues to be processing even
after the main purpose such as journalism is achieved but secondary purposes are yet to be achieved such as for employ-
ment in concerned places. But what happens with those conviction data which can never be processed such as revealing
witness identities irrelevantly, or which never fully achieve the purpose of processing due to having public interest, or
what happens even if achieved the purpose of processing, but the availability of data is necessary for greater public
interest are still unclear since in general, there is no time limit prescribed anywhere to mark the milestone of purpose
achievement.
12 of 14 FAI SAL
5CONCLUSION
To conclude, statutes, the CJEU, the ECtHR, and scholars agree that balancing is needed at some point between the
right to be forgotten and the freedom of expression.50 But the complication is to balance the persisting issues enshrined
in CJEU’s Google Spain decision which caused tension among these two rights’ elements. Historically, the right to be
forgotten remained vague for certain reasons. Firstly, the CJEU did not decide how much weight one right should carry
against the other. Secondly, the CJEU only ruled for search engines like Google, Yahoo, Bing, and some others to delink
the information where the original content remains with the publisher’s website. The obvious reasons for that might
be the strong mandate and established respect for the right to freedom of expression and maintaining the availability
of information in some way so that they are not lost forever since the right possess a considerably strong position in a
democracy. Fortunately, now the GDPR tackles both the problems in theory by specifying something to talk about while
making data controllers liable for complying with the provision.
So, balancing has just entered into youth after surviving infancy and youth maintains considerable lacunas in defining
and interpreting principles. However, the existing mechanism of balancing is still working but not diligently as the rights
are guaranteed. Since upholding fundamental rights is one of the mandates of the EU legal framework, more visible
protection is indispensable. To put it differently, balancing is in its second generation and we need to push it to the
third generation for more tangible forms. For this, the identified areas need to be settled down in the next writing while
fragmenting and elaborating the elements of each principle to empower the balancing with those necessary enhancing
norms which are supposed to show whether the third generation balancing regime will move towards the right direction
or not. The emerged principles are the imminent tools of allowing or rejecting the right to be forgotten claims in spent
criminal convictions in the future.
ACKNOWLEDGMENTS
Undertaking a research career is one of the most significant and life changing decisions in the walks of my life and in
this transaction, I was fortunate enough to attain another master’s degree in Law and Information Society in Univer-
sity of Turku, Finland. The attainment would have been difficult without the cooperation and support provided by the
university staff and facilities. At first, I am delighted to convey my gratitude to my research supervisor Juha Lavapuro,
professor of public law, University of Turku for his authentic guideline and fellowship which helped me to undertake
and perform pure doctrinal research aspects. This empowerment enabled me solely to undertake and complete the origi-
nal master’s thesis with the collaboration of the respective educational institution from which original articles have been
derived. In addition to the research supervisor, the support of the faculty coordinator Riikka Matikainen, and mentorship
of other academic staff such as Dhanay M. Cardillo Chandler and Daniel Acquah who were responsible for conducting
the advanced studies played worth mentioning roles in building up research ambience. Last but not the least, the techno-
logical and academic research friendly collaboration that I receive from the University of Turku is outstanding to create
opportunities for me. It is to be mentioned that the concerned paper is one of the originals articles of my latest master’s
thesis which I am embarking for publication and is not submitted anywhere else for publication. The paper is not sub-
jected to any commercial undertaking or any project which is funded by the government or any other organization and
therefore, there is no possibility of arising any conflict of interest in the future.
DATA AVAILABILITY STATEMENT
The author confirms that the data which has been used to outline the findings of the study collaborates the outcome.
The data is available within the statutes, articles, and case laws outlined in the references. The research data has been
derived and analyzed for the independent verification of the outcome. A pure doctrinal methodology has been adopted
and the workflow was maintained accordingly. That is why the findings have been transfigured from the already existed
information.
ORCID
Kamrul Faisal https://orcid.org/0000-0002-0691-6146
REFERENCES
1. Peter K. The Life of John Locke, with Extracts from His Correspondence. 7th ed. London: Journals, and Common-Place Books; 1829.
2. Rustad M, Kulevska S. Reconceptualizing the right to be forgotten to enable transatlantic data flow. Harv J Law Technol. 2015;28(2):386.
FAI SAL 13 of 14
3. Mayer-Schönberger V. Delete: The Virtue of Forgetting in the Digital Age; Princeton: Princeton University Press; 2009. doi:https://doi.org/
10.1108/rmj.2010.28120aae.001
4. Lessig L. The architecture of privacy. Vanderbilt Entertain Law Pract. 1999;1:56-65.
5. Whitman J, McLeod J, Hare C. BIAP: balancing information access and privacy. JSocArch. 2001;22(2):253-274. https://doi.org/10.1080/
00379810120081190.
6. Beamish B. Protecting and Balancing Access and Privacy Rights the Role of the Public’s Right to Know; Ontario, Canada: Information and
Privacy Commissioner of Ontario; 2017. https://www.ipc.on.ca/wp-content/uploads/2017/11/2017- 11-07-uoit-final-web.pdf
7. United Nations. Universal Declaration of Human Rights; 1948:1–8. https://www.ohchr.org/EN/UDHR/Documents/UDHR_Translations/
eng.pdf
8. International Covenant on Civil and Political Rights, Adopted and Opened for Signature,Ratification and Accession by General Assem-
bly Resolution 2200A (XXI) of 16 December, Entry into Force 23 March 1976, in Accordance with Article 49; 1966. https://www.ohchr.org/
Documents/ProfessionalInterest/ccpr.pdf
9. Official Journal of the European Union. EU Charter of Fundamental Rights: Charter of Fundamental Rights of the European Union, OJ
2010 C 83/389; 2016:389–405.doi:https://doi.org/10.4337/9781786435477.00032
10. Council of Europe. European Convention on Human Rights: European Convention for the Protection of Human Rights and Fundamental
Freedoms, Sept. 3, 1953, ETS 5, 213 UNTS 221; 1950:1–62.doi:https://doi.org/10.1192/pb.27.12.463-a
11. Human Dynamics. Legal Balance If Interest between Transparency ofPublic Life and Data Protection; 2020. https://dzlp.mk/sites/default/
files/doc_id_1.1.21.pdf
12. Banisar D. The Right to Information and Privacy: Balancing Rights; 2011.
13. The European Parliament and of the Council. EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the
Free Movement of Such Data; 2016:1–119. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
14. CJEU. Volker Und Markus Schecke GbR (C-92/09), Hartmut Eifert (C-93/09) v Land Hessen, Joined Cases. Joined Cas. 2010;ECLI:EU:C:
2010:662:11117-11161.
15. CJEU C-275/06. Productores de Música de España (Promusicae) v Telefónica de España SAU CJEU C-275/06. Paragraph. 2008;ECLI:EU:C:
2008:54:309-348.
16. Committee of Ministers. Resolution (73) 22 on the Protection of the Privacy of the Individuals Vis-a-Vis Electronic Data Banks in the
Private Sector (1973); 1973. https://rm.coe.int/1680502830
17. European FRA, Agency U. Opinion of the European Union Agency for Fundamental Rights on the Proposed Data Protection Reform
Package; 2012. https://fra.europa.eu/sites/default/files/fra-opinion-data-protection-oct-2012.pdf
18. Nugter ACM. Transborder Flow of Personal Data within the EC, A comparative Analysis of the Privacy Statutes of the Federal Republic of
Germany, France, the United Kingdom and The Netherlands and their Impact on the Private Sector. Deventer: Kluwer Law Tax Publ; 1990:62.
19. Van AB. Liability under EU data protection law. Jipitec 3. 2016;7(d):271-288.
20. Council of Europe. Convention for the protection of individuals with regard to automatic processing of personal data; 1981:1–9.doi:https://
doi.org/10.1017/s0020782900043230
21. Google Spain SL. Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, CJEU C-131/12. 2014;1-21.
22. Ausloos J. The Right to Erasure in EU Data Protection Law. First ed. Oxford: OUP; 2020.
23. The European Parliament and the Council of European Union. EU Directive 95/46: Directive 95/46/EC of the European Parliament and
of the Council of 24 October on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement
of Such Data, OJ 1995 L 281/31; 1995:31–50. https://doi.org/10.3233/978-1-60750-871-7-83
24. Neville A. Is it a human right to be forgotten? Conceptualizing the world view recommended citation is it a human right to be forgotten?
Conceptualizing the world view. St Cl J Int Law. 2017;15(2):157-171. https://digitalcommons.law.scu.edu/scujil/vol15/iss2/2.
25. Information Commissioner’s Office. Data Protection Act Of 1998 Supervisory Powers of The Information Commissioner Enforcement
Notice; 2015. https://ico.org.uk/media/action-weve-taken/mpns/2259545/ams-marketing-ltd-mpn-20180727.pdf
26. Markou C. The ‘right to be forgotten’: ten reasons whyit should be forg otten. Reforming European Data Protection Law. Dordrecht: Springer
Netherlands; 2014:203-226.
27. John Roberts J. The right to be forgotten from Google? Forget it, says U.S. crowd. Fortune. Accessed September 3, 2020. https://fortune.
com/2015/03/12/the-right-to-be-forgotten-from-google- forget-it-says-u-s-crowd/
28. The Advisory Council. The Advisory Council to Google on the right to be forgotten; 2015. https://static.googleusercontent.com/media/
archive.google.com/en//advisorycouncil/advisement/advisory-report.pdf
29. Schönberger VM. Omission of Search Results Is Not a “Right to Be Forgotten” or the End of Google. London: The Guardian; 2014. https://
www.theguardian.com/commentisfree/2014/may/13/omission-of-search-results-no-right-to-be-forgotten Accessed January 30, 2020.
30. Bernal PA. A right to delete? Eur J Law Technol. 2011;2(2):1-18. http://ejlt.org/article/view/75/144.
31. Drummond D. We Need to Talk about the Right to Be Forgotten. London: The Guardian; 2014. https://www.theguardian.com/
commentisfree/2014/jul/10/right-to-be-forgotten-european-ruling-google-debate. Accessed April 7, 2018.
32. CJEU C-136/17. GC, AF, BH, ED v Commission Nationale de l’informatique et Des Libertés (CNIL), CJEU C-136/17. ECLI:EU:C, 1–13
(2019).
33. Christopherstacey. The Google effect-criminal records and the “right to be forgotten.” Christopherstacey. 2015 https://christopherstacey.
wordpress.com/2015/11/11/the-google- effect-criminal-records- and-the- right-to-be-forgotten/. Accessed May 15, 2018.
14 of 14 FAI SAL
34. Unlock. Stopping the ‘Google-effect’ for people with spent convictions. Unlock. 2018. http://www.unlock.org.uk/policy-issues/specific-
policy-issues/google-effect/. Accessed May 15, 2018.
35. Unlock. Case of Natasha—Online links hampering chances of promotion. Unlock. 2018. http://www.unlock.org.uk/policy-issues/policy-
cases/case-of- natasha-online-links-hampering-chances-of-promotion/. Accessed April 7, 2018.
36. CJEU C-101/01. Sweden v. Bodil Lindqvist, CJEU C-101/01. CJEU C-101/01 I-12992, 12992–13030; 2003.
37. Korff D. EC Study on Implementation of Data Protection Directive (Study Contract ETD/2001/B5-3001/A/49) Comparative Summary of
National Laws; 2002.
38. Bignami F. The case for tolerant constitutional patriotism: the right to privacy before the European courts. Cornell Int Law J.
2008;41(2):211-249. https://scholarship.law.cornell.edu/cgi/viewcontent.cgi?article=1722&context=cilj.
39. Federal Republic of Germany. Federal Data Protection Act (BDSG); 2017:2097; 2017.
40. Finnish Parliament. Data Protection Act. Vol 2; 2018:227–249.
41. Satakunnan Markkinapörssi Oy ja Satamedia Oy, CJEU C-73/07. 2008;9868-9894.
42. Simon M. Asia Considers ‘Right to Be Forgotten’ Ruling Prompted by Google. London: Financial Times; 2015. https://www.ft.com/content/
ade889d4-bc0e- 11e4-a6d7-00144feab7de. Accessed January 5, 2020.
43. Jääskinen N. Opinion of advocate general Jääskinen. Reports of Cases. 2013;IV(5):27. http://curia.europa.eu/juris/celex.jsf?celex=
62012CC0131&lang1=en&type=TXT&ancre=.
44. Ashby Donald and Others v. France. European Court of Human Rights. 2013;36769/08 (Information Note on the Court’s case-law No.
159):163-167. http://hudoc.echr.coe.int/fre?i=002-7393.
45. Times Newspapers Ltd (Nos. 1 and 2) v. the United Kingdom. European Court of Human Rights. 2005; 23676/03 and 3002/03: 1–21.
46. ECtHR Application no.40397/12. Fredrik NEIJ and Peter SUNDE KOLMISOPPI against Sweden, ECtHR Application No. 40397/12, 1–12;
2013.
47. Lindsay D. The ‘right to be forgotten’ in European data protection law. Emerging Challenges in Privacy Law: Comparative Perspectives.
Normann Wi: Cambridge University Press; 2012:290-337. https://doi.org/10.1017/CBO9781107300491.019.
48. Jacobs B, Larrauri E. European criminal records and ex-offender employment. NYU School of Law, Public Law. 2015;1-31. https://papers.
ssrn.com/sol3/papers.cfm?abstract_id=2670623.
49. CJEU C-473/12. Institut Professionnel Des Agents Immobiliers (IPI) v Geoffrey Englebert, Immo 9 SPRL, Grégory Francotte, CJEU
C-473/12. 13, 1–10; 2013. doi:https://doi.org/10.1016/S0140-6736(02)86312-7
50. Tribunal Supremo. Sala de lo Civil. PEDRO JOSE VELA TORRES. Tribunal Supremo. Sala de lo Civil 9, 10 (2016). doi:https://doi.org/10.
5151/cidi2017-060
How to cite this article: Faisal K. Balancing between Right to Be Forgotten and Right to Freedom of Expression
in Spent Criminal Convictions. Security and Privacy. 2021;e157. https://doi.org/10.1002/spy2.157
... Others like Tirosh criticize the right's focus on deletion and its focus on individuals (Tirosh 2017). Faisal (2021) ponders how a right to be forgotten may affect the reporting of criminal convictions. McStay (2017) wonders if such a right makes online media ahistorical. ...
Article
Full-text available
The right to be forgotten has been widely discussed from a legal perspective. Courts have analyzed the existence and constitutional compatibility of the right in the national legal order of several jurisdictions around the world. However, even if the right to be forgotten is not a universally recognized right, by understanding how the law approaches tensions that arise between the right to freedom of expression and the rights to seek, impart and receive information, on one hand, and a right to be forgotten, underpinned by the rights to honor, privacy and personal data protection on the other, journalists can extract ethical guidelines that can orient them in the correct use of archival information about individuals to report on current events. This work begins by explaining how legal debates can help inform ethical discussions about journalism. Then, by exploring the legal development and justifications for the right to be forgotten and identifying key elements of this emerging right, we engage in a discussion around the use of archives and memory in journalism and then identify the elements that journalists should consider in relation to the use of archival information in their profession in a way that allows them to fulfill their journalistic duties without ignoring the legal context.
Article
Full-text available
The right to privacy and the right to information are both essential human rights in the modern information society. For the most part, these two rights complement each other in holding governments accountable to individuals. But there is a potential conflict between these rights when there is a demand for access to personal information held by government bodies. Where the two rights overlap, states need to develop mechanisms for identifying core issues to limit conflicts and for balancing the rights.This paper examines legislative and structural means to better define and balance the rights to privacy and information.
Book
This book critically investigates the role of data subject rights in countering information and power asymmetries online. It aims at dissecting ‘data subject empowerment’ in the information society through the lens of the right to erasure (‘right to be forgotten’) in Article 17 of the General Data Protection Regulation (GDPR). In doing so, it provides an extensive analysis of the interaction between the GDPR and the fundamental right to data protection in Article 8 of the Charter of Fundamental Rights of the EU (Charter), how data subject rights affect fair balancing of fundamental rights, and what the practical challenges are to effective data subject rights. The book starts with exploring the data-driven asymmetries that characterize individuals’ relationship with tech giants. These commercial entities increasingly anticipate and govern how people interact with each other and the world around them, affecting core values such as individual autonomy, dignity, and freedom. The book explores how data protection law, and data subject rights in particular, enable resisting, breaking down or at the very least critically engaging with these asymmetric relationships. It concludes that despite substantial legal and practical hurdles, the GDPR’s right to erasure does play a meaningful role in furthering the fundamental right to data protection (Art 8 Charter) in the face of power asymmetries online.
Chapter
This paper looks at the right to data erasure contained in Article 17 of the Draft Data Protection Regulation and challenges the choice to label it as a right ‘to be forgotten’. It first explains what this right entails and why it is necessary particularly in the online world. It then puts forward ten reasons why its labeling as a ‘right to be forgotten’ does no good while it may cause harm. It shows that it does not tell the truth and is difficult to justify even if one is willing to think outside the strict boundaries of plain speech. It can mislead individuals as to its exact reach and as a result, unnecessarily trouble data controllers and eventually also frustrate the expectations of data subjects. The relevant label does not take into account the multi-purpose nature of the right (in a rapidly evolving online world), which necessitates a name that is both accurate and flexible. Fortunately, the ‘to be forgotten’ label can easily be omitted from the final text of the Regulation without necessitating any other change to the wording of Article 17. The right should simply be called a ‘right to erasure’, which cannot validly be subjected to similar objections. In general, the paper looks the right through the ‘lens’ of its label and offers an alternative introduction to the right and some of the issues pertaining to it.
Article
Introduction In January 2012 the European Commission adopted proposals for a new EU framework for data protection that is designed to replace the existing European data protection regime, which is based on the 1995 Data Protection Directive (DPD). The proposed new framework includes a General Data Protection Regulation (GDPR), which is intended to update the 1995 regime and deal with the challenges posed by the increased collection and processing of personal data online, including the emergence of social networking services (SNS). The GDPR, unlike the DPD, will apply directly to EU member states, with the aim of addressing the considerable divergence between current national EU data protection laws. At the time of writing, the proposals were working their way through the European legislative process. In January 2013 a committee of the European Parliament released a draft report on the proposals (the Albrecht Report), which recommended substantive amendments to the text of the GDPR. While it is impossible, at this stage, to predict the final shape of the reform package, this chapter will focus on the draft proposals for a GDPR and the amendments proposed in the Albrecht Report.
Book
Delete looks at the surprising phenomenon of perfect remembering in the digital age, and reveals why we must reintroduce our capacity to forget. Digital technology empowers us as never before, yet it has unforeseen consequences as well. Potentially humiliating content on Facebook is enshrined in cyberspace for future employers to see. Google remembers everything we've searched for and when. The digital realm remembers what is sometimes better forgotten, and this has profound implications for us all.InDelete, Viktor Mayer-Sch nberger traces the important role that forgetting has played throughout human history, from the ability to make sound decisions unencumbered by the past to the possibility of second chances. The written word made it possible for humans to remember across generations and time, yet now digital technology and global networks are overriding our natural ability to forget--the past is ever present, ready to be called up at the click of a mouse. Mayer-Sch nberger examines the technology that's facilitating the end of forgetting--digitization, cheap storage and easy retrieval, global access, and increasingly powerful software--and describes the dangers of everlasting digital memory, whether it's outdated information taken out of context or compromising photos the Web won't let us forget. He explains why information privacy rights and other fixes can't help us, and proposes an ingeniously simple solution--expiration dates on information--that may.Deleteis an eye-opening book that will help us remember how to forget in the digital age.
Article
The Freedom of Information Act 2000, taken together with the Data Protection Act 1998, has created new challenges for those engaged in handling and providing access to records in public authorities.1 Freedom of Information has significant implications for working practices within archive and records management in these authorities and will necessitate far-reaching changes. Other recent changes in legislation and certain policy initiatives will add further impetus to this process. Foremost of these are the modernising agenda associated with the Local Government Act 2000, recent legislation concerning the interception of communications on public networks, and central government’s e-government initiative.2 In addition, there is the incorporation of European law on human rights into English legislation in the form of the Human Rights Act 1998.3 This establishes standards for all thinking on policy and legislative issues affecting human welfare. The essence of Freedom of Information is to facilitate general access to information held by public authorities. The essence of Data Protection is to protect the rights of privacy of the individual. Although the legislation has been drafted to accommodate these two sets of needs, and although they should complement each other, there is a potential tension for public authorities. This stems primarily from areas of ambiguity created by the practicalities of their implementation, between granting access to information while ensuring that privacy is maintained. Much will become clearer with practical experience of the legislation. With these thoughts in mind, the Balancing Information Access and Privacy (BIAP) project was conceived. It aimed to survey the early response in local authorities to these core legislative changes within their wider context, to assess what preparations were under way, and to gauge reactions to the need to balance providing access with protecting privacy. The project focused upon responses from English shire and metropolitan local authorities and their associated record offices outside of Greater London.
Article
The theory of constitutional patriotism has been advanced as a solution to the European Union's legitimacy woes. Europeans, according to this theory, should recognize themselves as members of a single human community and thus acknowledge the legitimacy of Europe-wide governance based on their shared belief in a common set of liberal democratic values. Yet in its search for unity, constitutional patriotism, like nationalism and other founding myths, carries the potential for the exclusion of others. This article explores the illiberal tendencies of one element of the liberal canon - the right to privacy - in the case law of Europe's constitutional courts. It argues that, in confronting the tension between privacy and freedom of expression, the European Court of Justice has been more successful than the European Court of Human Rights at accommodating diverse national orderings and thus resisting the illiberal dangers of constitutional patriotism.