Загрузка...

Эта статья опубликована под лицензией Creative Commons и не автором статьи. Поэтому если вы найдете какие-либо неточности, вы можете исправить их, обновив статью.

Загрузка...
Загрузка...

Right to Be Forgotten in the European Union and Russia: Comparison and Criticism Creative Commons

Link for citation this article

Nurullaev Ruslan

Право. Журнал Высшей школы экономики, Год журнала: 2015, Номер №3, С. 181 - 193

Опубликована Июль 1, 2015

Последнее обновление статьи Май 17, 2023

Эта статья опубликована под лицензией

License
Link for citation this article Похожие статьи

Abstract

In July, 2015, the Russian President signed Law No. 264-FZ which grants to Russian citizens the right to request delisting of search results which link to inaccurate or irrelevant information about them (“the right to be forgotten”). According to its drafters, the law is expected to adapt Russian law to the European practice. This article recounts the decision of the Court of Justice of the European Union in Google Spain v. AEPD and Mario Costeja González, the case which inspired Law No. 264-FZ, and analyses commonalities and differences between the judgment of the Court of Justice and Law No. 264-FZ.The decision in Google Spain v. AEPD and Mario Costeja González was decided with reference to the principles contained in the data protection legislation. Guided by these principles, the Court of Justice of the European Union sought to strike a balance between the individual’s right to privacy and right of the public to access the information. As a consequence, search engine operators in the European Union are not obliged to remove search results if there is the preponderant interest of the general public in having access to the information in question. In contrast, Law No. 264-FZ is not based on data protection principles and introduced the sui generis right to request delisting of search results. The law contains a number of differences from the decision in Google Spain v. AEPD and Mario Costeja González. Most critically, Law No. 264-FZ fails to give due consideration to the public’s right to access information and does not contain a similar general exception from delisting of search results.

Ключевые слова

Internet, Costeja, Internet service providers, European Union, personal data, information intermediaries, right to be forgot, Google Spain

Introduction


On July 14, 2015 the Russian President signed Federal law 264-FZ1, which from January 1, 2016 will grant to Russian citizens the right to request delisting of certain search results in specific circumstances, a right which is somewhat misleadingly known as “the right to be forgotten”. The explanatory note related to the law claims that this law is consistent with “the general European practice”2. Supporters of the law made a case for its adoption by referring to the judgment of the Court of Justice of the European Union (CJEU) in the case Google Spain v. AEPD and Mario Costeja Gonzalez34. The new law is supposed to grant to Russian citizens the same right that the CJEU granted to citizens of the European Union.


On the other hand, the decision in Google Spain v. AEPD and Mario Costeja Gonzalez itself sparked major controversy. Some claim that the right to be forgotten will empower citizens of the European Union by providing them with better control over the use of their personal data online5. Others argue that the decision of the CJEU is “deeply flawed”6 and the right to be forgotten can cause “Orwellian memory holes”7 and is “misguided in principle and unworkable in practice”8. Larry Page, the CEO of Google, expressed concern that the right to be forgotten can empower repressive governments in censuring the Internet9.


Considering the sharp debate around the right to be forgotten, it could be beneficial to compare its implementation in the Russian Federation with the judgment of the CJEU in Google Spain v. AEPD and Mario Costeja Gonzalez. It could be instructive to reveal how faithful the Russian law is to the principles laid down in the judgment of the CJEU.


This article reviews the judgment in Google Spain v. AEPD and Mario Costeja Gonzalez, identifies differences between the judgment and the Russian law and recounts criticism of the right to be forgotten.


European Union


In 1998, Spanish newspaper La Vanguardia had published an announcement mentioning Mr. Costaja Gonzalez’s name for a real-estate auction in connection with attachment proceedings for the recovery of social security debts. After 12 years, Mr. Costaja Gonzalez submitted a complaint to the Spanish data protection authority requesting that La Vanguardia remove all pages with the auction announcement and Google delist links to said La Vanguardia pages from search results.


In connection with these proceedings, the Spanish national court referred to the CJEU a set of questions on the implementation of the European Union law in the case of Google Spain v. AEPD and Mario Costeja Gonzalez. These questions can be broken down into three categories: (A) how provision of web search results can be regulated by data protection legislation, (B) whether citizens of the European Union have a right to claim delisting of search results containing their personal data, and (C) whether a foreign operator of a search engine can be subjected to a Spanish data protection law.


(A) In order to impose on a search engine operator the full set of obligations contained in data protection legislation, it is necessary to establish that a search engine “processes” personal data and that its operator is a “controller” in relation to such processing.


With regard to the first issue, the CJEU explained that in order to provide the search service, the operator automatically searches (“crawls”) websites available on the Internet, retrieves, indexes and makes the information published on these websites available to users. The search engine indexes all available information without discrimination and can also process personal data contained within such information. Thus, the search engine operator “collects”, “retrieves”, “records” and “organises” in its search index, “stores” on its servers, “discloses” and “makes available” to its users personal data together with any other information. In accordance with article 2(b) of the Data Protection Directive10, all such activities qualify as the “processing” of personal data11. It is irrelevant that a search engine processes personal data as a part of all other information or that processing is carried out automatically. On the contrary, the Data Protection Directive specifically mentions that processing can be carried out by automatic means12.


The court also established that since the operator of a search engine determines the purposes and means of the processing (the search engine operator regulates how webpages are crawled, the information is organised, stored and then made available in search results), the operator is effectively a “controller” with respect to the processing of personal data13. It is immaterial that the operator of a search engine does not process personal data selectively or that personal data is already available on third party websites. The CJEU further mentioned that the processing of personal data by search engine operators is additional to and separate from processing undertaken by website publishers14.


The courts decision to classify search engine operators as controllers with respect to processing of indexed personal data is problematic for at least two reasons.


Firstly, search engine operators in practice cannot comply with all the obligations imposed on data controllers. For example, the Data Protection Directive imposes strict requirements on the processing of sensitive categories of personal data (such as information concerning health, sex life, political opinions, religious or philosophical beliefs)15. Such personal data can usually be processed only with a data subjects consent. It is not possible in practice for search engine operators to receive such consent from all data subjects whose sensitive personal data may be indexed by a search engine.


Secondly, if such a wide interpretation of the terms “processing” and “data controller” is adopted, virtually everyone can be deemed a controller. For example, Internet users who search for information on Google can be data controllers, since they retrieve personal data. Indeed, even carrying around a newspaper may arguably involve “storing” or personal data of the individuals named in the newspaper16.


By recognising that operators of a search engine process personal data and are controllers with relation to such processing, the CJEU extended the obligations contained in the Data Protection Directive to operators. However, at the same time the CJEU suggested that the processing of personal data by operators of a search engine pursues legitimate interests17. Although the court did not elaborate on what particular interests are facilitated, the Advocate General who advised the court on this case in his opinion explained that a search engine (i) makes information more easily accessible for Internet users; (ii) renders dissemination of the information uploaded on the Internet more effective; and (iii) enables various Internet services that are ancillary to the search engine, such as the provision of keyword advertising. These activities facilitate freedom of information, freedom of expression and freedom to conduct a business respectively18.


(B) Although the provision of online search service can be underpinned by legitimate interests, in certain cases legitimate interests of the operator can be overridden and individuals can request a search engine operator to cease processing of their personal data19.


If a search is carried out on the persons name, a search engine can provide “through the list of results a structured overview of the information relating to that individual that can be found on the Internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him”20. This “profiling” can significantly interfere with the rights to privacy and to the protection of personal data of a person.


In such circumstances the economic interest of the search engine operator and the interests of the general public in having access to this information will be overridden by the interests of a data subject21. A data subject can request the operator of a search engine “to remove from the list of results displayed following a search made on the basis of a persons name links to web pages published by third parties and containing information relating to that person”22. In accordance with paragraph 92 of the judgment, such removal can be requested when processing of personal data does not comply with the Directive, in particular if the processed data are inaccurate inadequate, irrelevant or excessive in relation to the purposes of the processing23.


Following the receipt of such a request a search engine operator engine will have to comply with it unless “for particular reasons, such as the role played by the data subject in public life”24, the data processing is justified by “the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question”25.


This requirement means that the operator of a search engine will have to carry out a balancing exercise and weigh the data subjects rights to privacy and protection of personal data against the right of the general public to access the information in question


The court did not elaborate on what constitutes “a role in public life” or what other circumstances can justify interference with the data subjects right to private life.


Some guidance was provided by data protection authorities of the EU Member States (collectively represented by the Article 29 of Working Party)26, as well as by a council of data protection experts gathered by Google in order to provide advice on the judgment of the CJEU (the Advisory Council)27.


Although it is fairly difficult to establish the meaning of the “role in public life”, the data protection authorities state that an individual will usually have a role in public life if having access to the particular information would protect the public against improper public or professional conduct28. The Advisory Council distinguished three kinds of cases related to the role in public life: (i) individuals with clear roles in public life (such as politicians, CEOs, celebrities, religious leaders, sports stars, performing artists) — because of their role, the interest of the general public in having access to information on them will usually prevail; (ii) individuals with no discernible role in public life — their delisting requests will usually be granted; and (iii) individuals with a limited or context specific role in public life (such as persons who unintentionally got caught in the public attention) — in their cases there would be no presumption because assessment of their delisting requests will heavily depend on the information subject to delisting)29.


While the court refrained from providing a more detailed explanation, there are a multitude of factors, other than the individual’s role in public life, which can impact the result of the balancing exercise30.


The Advisory Council divided such factors into three groups: (i) the factors related to the nature of information access to which is sought to be restricted; (ii) the source of the information; and (iii) time of publication of the information31.



  • Information on an individual’s intimate or sex life and other information which is deemed sensitive under the Data Protection Directive (“special categories of data”32), information related to minors, information prejudicial to the individual, personal financial information, private contact or identification information, false or misleading information33, information which puts the individual at risk, information in the form of an image or video (in comparison with a text) may weigh in favour of delisting. On the other hand, information relevant to the professional conduct of the individual, information published with the individuals consent, information published in accordance with the prescription of a law, information relevant to political discourse or governance, information relevant to religious or philosophical discourse, information that relates to public health and consumer protection, information related to criminal activity, information that contributes to a debate on a matter of general interest, information that is factual and true, information integral to the historical record, information integral to scientific inquiry or artistic expression have a lesser chance of being delisted.

  • Information published as a result of a journalistic inquiry34, government publications, information published by the individual him- or herself may evidence existence of a legitimate public interest in access to such information.

  • In accordance with paragraph 93 of the courts decision, “even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where those data are no longer necessary in the light of the purposes for which they were collected or processed”35. Time may be an important factor in assessing the balance of the interests. With the course of time circumstances related to the publication of information may change and the information may become irrelevant. For example, the individual may cease to play a role in public life. It may be difficult to lay down precise timelines in connection with the relevance of information. In Google Spain v. AEPD and Mario Costeja Gonzalez the initial publication of the auction announcement took place 16 years earlier — the CJEU deemed that this time could be sufficient to make the information irrelevant36.


(C) When answering the question on jurisdiction, the CJEU explained that a foreign web search operator can be subjected to Spanish data protection regulations in cases where this search engine operator has a local subsidiary incorporated in Spain which promotes and sells advertising offered by that search engine and which orientates its activity towards Spanish residents. The CJEU reasoned that although personal data is processed by a foreign search engine, the data is processed “in the context of the activities” of the local company which sells advertising offered by the search engine, since sale of advertising is meant to make the search service profitable and thus supports the search engine37. Considering that promotion and sale of advertising is usually carried out by locally established companies, this means that in practice any search engine which sells advertising for clients in a European Union country has to comply with this country’s data protection regulations.


The court’s decision was issued on May 13, 2014. On May 30, 2014 Google launched a web form that citizens of the EU Member States can use to submit data protection delisting requests to Google. By July 26,2015 Google received more than 288,000 delisting requests and processed more than 1 million URLs. Of this 1 million URLs, Google removed 41.3 per cent38. Google accepts delisting request for its Web Search, Image Search and Google News39.


When complying with a request, Google delists URLs on all European country code top level domains (e.g. google.de, google.fr, google.co.uk, etc.), but not on its other websites (e.g. google, com). Google maintains that delisting on EU domains is sufficient for adequate protection of EU Member States citizens’ right to private life as only 5 per cent of its European users use the google, com website40. The Advisory Council agreed with Google and noted that delisting on non-EU domains may come in conflict with a right of non-EU users to access the information on namebased searches, since non-EU countries may not recognise the right to be forgotten41. The European Union data protection authorities strongly disagree with this practice and demand delisting on all domains where European Union citizens can make search requests (or at least use geoblocking to prevent European Union citizens from gaining access to the delisted URLs)42. However, Google took a principled stand in not delisting search results from its non-EU websites43.


When delisting URLs Google can show a notification in the bottom of a search results page when users search for the name in relation to which URLs were delisted44. Since delisting of search results can reduce traffic to websites, Google also notifies the webmasters of websites affected by delisting45. When providing both notifications, Google does not disclose the name of the individual who requested delisting.


In the European Union the reform of the data protection legal framework is underway46. The purpose of the reform is to adopt European Union data protection legislation to the use of new technologies. When this reform is implemented, the Data Protection Directive (which was adopted in 1995 when Google did not yet exist) will be replaced by the General Data Protection Regulation. The right to be forgotten was included by the Commission in the first draft of the General Data Protection Regulation47 and was supported with some changes by the European Parliament48 and the Council of Ministers49. Considering that the majority of the Member States also support the right to be forgotten, it is likely that the General Data Protection Regulation will contain this right, although its precise scope and implementation are subject to debate.


Russian Federation


In the Russian Federation the draft legislation meant to establish the right to be forgotten was introduced into the parliament on May 29, 201550.


The first draft of the bill contained the right to be forgotten in its most radical form and was criticised by Russian IT companies51. For example, the bill did not require individuals to provide URLs subject to removal and left it to the operators of search engines to locate and delist all URLs containing information provided in the removal request. Furthermore, the first draft provided for removal of true and accurate information that is older than 3 years (with exception for information about criminal activity) and did not limit delisting to searches on the individual’s name52.


After introduction of the bill into the parliament, members of parliament and presidential administration held several meetings with Internet companies to discuss possible amendments to the bill53. Some of the proposed amendments were introduced into the draft law in time for the next parliamentary hearing. The bill quickly went through all of the readings and was signed by the president on July 13, 2015 and adopted as the Law No. 264-FZ.


The Law No. 264-FZ introduced into Russian law a definition of a search engine. A search engine is understood as an information system that, on a user’s demand, searches for information and provides the user with information on URLs for access to the requested information published on third-party websites54. The first draft of the bill did not contain the “third-party websites” limitation and the definition potentially applied to any website which has a search feature (including media websites).


An individual can request removal of URLs for searches made on his or her name if such URLs link to the following information on him or her: (i) information distributed in breach of Russian laws; (ii) inaccurate information; (iii) irrelevant information or (iv) information which has lost its meaning for the individual for the reasons of subsequent events or actions of the individual55.


The only exceptions from removal of URLs under the Russian law are (i) information on events that contain signs of crimes the term of prosecution for which has not lapsed and (ii) information about commitment of a crime in respect of which the conviction did not lapse56.


The operators of a search engine have to process delisting notifications within 10 business days (the first draft of the law gave the operators only 3 calendar days)57. The operators are also allowed to request a clarification of the information provided by an individual and request the individual’s passport. However, the operators have the right to request only one such clarification58. The operators are also prohibited from disclosing information about the receipt of a delisting request59.


The delisting obligation contained in the Law No. 264-FZ applies to all search engines that serve advertising directed at the consumers residing in the Russian Federation60. This approach is reminiscent of the CJEU, which established that incorporation of a local subsidiary will bring the national data protection laws into play where this subsidiary promotes and sells advertising of the search engine. However, the Data Protection Directive lists other possible cases where a foreign company may be caught by national data protection regulation — for example, in cases where a foreign company is not established in the Member State, but for purposes of processing makes use of equipment situated on the territory of the said Member State61.


Another piece of draft legislation was introduced into parliament to supplement the Law No. 264-FZ62. If enacted, this draft legislation will establish administrative fines for a failure of a search engine operator to comply with a legitimate removal request (a 100,000 roubles fine) and failure to comply with a court judgment prescribing removal of URLs from search results (a 3,000,000 roubles fine). This draft law was recently criticised by the Russian Supreme Court63. The Supreme Court stated that the fines may be disproportionate and inability of the courts to lower the amount of a fine will prohibit taking into account the different circumstances of individual cases.


On its face, Law No. 264-FZ grants to Russian citizens a right similar to the one granted to European Union citizens by the CJEU in Google Spain v. AEPD and Mario Costeja Gonzalez, since both Law No. 264-FZ and the CJEU’s judgment provided individuals with a right to request delisting of search results linking to inaccurate or irrelevant information. However, closer scrutiny reveals a number of important differences that can render Law No. 264-FZ significantly different from the right provided by the Court of the European Union.



  • The CJEU based its conclusions on the Data Protection Directive and principles governing processing of personal data in the European Union.


In Russia the right to be forgotten was introduced as an sui generis right which has no egress connection to data protection (Law No. 264-FZ did not amend Russian data protection legislation).


On the one hand, the independent nature of the Russian right to be forgotten allows circumventing the problems resulting from recognition of search engine operators as data controllers: namely, imposing obligations with which search engine operators cannot comply in practice and widening of the meaning of the term “data controller”, which can create problems for entities other than search engine operators, for example, Internet users.


On the other hand, the extent of applicability of personal data regulations to search engine operators remains unknown in Russia. If at a later point a Russian court or data protection authority finds that the search engine operators can be deemed data controllers in relation to provision of web search services, the Law No. 264-FZ may overlap with data protection regulations.


(i) The CJEU granted data subjects the right to demand delisting of URLs from search results only in a specific set of circumstances — if their personal data processed by search engine operators are inaccurate, inadequate, irrelevant or excessive.


The Russian parliament created a “general purpose” right. Russian citizens will not only be able to request delisting of inaccurate or irrelevant information, but also any other information on themselves which is disseminated contrary to the laws of Russian of Russian Federation. Such information can include instructions on manufacturing of drugs, information about committing suicide, information on gambling64, and even pornography65 and information on bitcoins66. Although Russian courts already can order Internet access providers to restrict access to such information online, the Law No. 264-FZ created a new instrument for control of dissemination of information online — delisting of URLs from search results.


(ii) In the European Union, the search engine operators have to delist URLs only if there is no preponderant interest of the general public in having access to the information. This is an important general limitation to the right to be forgotten. In practice this means that search engine operators will have to consider a multitude of factors when making a delisting decision. The operators will be able to access every situation based on its particular set of facts.


On the other hand, Law No. 264-FZ contains a fundamental misinterpretation of the decision in Google Spain v. AEPD and Mario Costeja Gonzalez. Instead of creating a general “public interest” exception for delisting, Russian parliament provided that search engine operators will have to remove URLs if the information “has lost the meaning for the applicant for reason of subsequent events or actions of the applicant”67. Instead of protecting the public interest, this provision appears to serve solely the interests of the applicant.


The only other exception for delisting of search results contained in Law No. 264-FZ covers information on criminal activity. However, as mentioned above, signs of criminal activity are only one of the many factors which European Union data protection authorities (and search engine operators) will weigh when making a delisting decision.


(iii) The judgment of the CJEU does not specify whether search engine operators can notify online publishers or Internet users about delisting of URLs. Equally, the decision does not mention whether search engine operators can publish statistics on delisting requests.


It may be assumed that search engine operators can do these things as long as they do not reveal the personal data which were subjected to a delisting request. Publishing statistics on delisting requests is vital for a better understanding of the effect of the right to be forgotten. European Union data protection authorities agree that in some cases contacting website publishers can be instrumental in making a correct decision when assessing a delisting request, since publishers can know the details which search engine operators do not have68.


On the other hand, Law No. 264-FZ specifically mentions that search engine operators cannot disclose information about the facts underlying removal requests.69 Such an all-encompassing restriction can bar search engine operators not only from notifying website publishers and Internet users about delisted URLs, but also from publishing anonymous statistical data on the processing of delisting requests (since such statistics will unavoidably disclose the facts of receiving delisting requests).


If Russian courts apply this restriction rigorously, application of the right to be forgotten in Russia will be kept out of public oversight.


(iv) The CJEU did not provide a definition of a search engine in its judgment. It is possible that the delisting obligation applies to all search engines other than “internal” search engines which look for information on a single website because such search engines do not provide a detailed profile of a data subject70. An example of an “internal” search engine could be a search tool on a news website which only indexes web pages of this particular news website.


The obligation to process delisting requests provided in Law No. 264-FZ applies only to search engines that serve advertising directed at consumers residing in the Russian Federation71. In accordance with a literal interpretation of this provision, search engines that do not serve advertising will not fall under the new law. Although targeted advertising is currently a primary monetisation instrument of search engines, it is not entirely unthinkable that in a foreseeable future search engine operators will use other means to generate revenue, such as a subscription fee72 or affiliate programs73. This could mean that the right to be forgotten created by the Law No. 264-FZ may apply to fewer search engines.


(v) The judgment in Google Spain v. AEPD and Mario Costeja Gonzalez leaves it to search engine operators to process delisting requests and to protect legitimate interests of the general public by balancing conflicting rights on a case-by-case basis. It is for the Member States’ legislators and data protection authorities to further regulate the processing of delisting requests by search engine operators, provided that the general principle established by the CJEU is heeded and search engine operators can weigh competing interests before deciding whether to delist URLs.


Law No. 264-FZ contains a more detailed regulation of the processing of delisting requests by search engine operators. For example, the law provides that a search engine operator has to process a delisting request within 10 business days74. When processing a request, a search engine operator can request additional information from an individual, but can only do this once per request75. There is room for an argument that in complex cases a search engine operator could need more than 10 business days and more than one clarification request to uncover the whole picture before deciding on a removal request.


(viii) Since the right to request delisting of certain URLs established in Google Spain v. AEPD and Mario Costeja Gonzalez is based on data protection legislation, data subjects can submit such requests directly to search engine operators or to data protection authorities76.


On the other hand, since the similar right provided by Law No. 264-FZ is not based on data protection laws, Russian citizens can apply to search engine operators or courts, but not to data protection authorities. Addressing delisting requests to courts rather than data protection authorities may be a better option as the courts have more investigative powers than data protection authorities.


Conclusion


While Law No. 264-FZ, which introduced the right to be forgotten in Russia, is claimed to be consistent with the practice adopted in the European Union, it is in fact quite different from the decision of the CJEU in Google Spain v. AEPD and Mario Costeja Gonzalez.


Law No. 264-FZ did not develop the right to be forgotten from data protection legislation. Instead, the right to be forgotten was introduced as an sui generis right. The critical shortcoming of the Russian law (which also distinguishes it from the CJEU s judgment) is the failure to account for the right of the general public to find and access information online. Other discrepancies include additional grounds for removal of search results, a narrower definition of a search engine, rigid requirements for the processing of removal requests and a prohibition to disclose any information about such requests.


Implementation of the right to be forgotten is now up to search engine operators and Russian courts. Their actions will in large part determine whether the new law will be used to empower Russian citizens or to censure the Internet.


References



  1. Andrade N. (2012) Oblivion: The Right to Be Different from Oneself— Re Proposing the Right to Be Forgotten. Revista de Internet, Derecho у Politica, no. 13, pp. 122-137.

  2. Ausloos J. (2011) The ‘Right to Be Forgotten’. Computer Law and Security Review, vol. 28, issue 2, pp. 143-152.

  3. Birnhack M. (2012) Reverse Engineering Informational Privacy Law. Yale Journal of Law and Technology, vol. 15, p. 24.

  4. Jones M. and Ausloos J. (2013) The Right to Be Forgotten Across the Pond. Journal of Information Policy, vol. 3, pp. 1-23.

  5. Jones M. (2012) It’s About Time: Privacy, Information Lifecycles, and the Right to Be Forgotten. Stanford Technology Law Review, vol. 16, p. 12.

  6. Koops B. (2011) Forgetting Footprints, Shunning Shadows: A Critical Analysis of the ‘Right to Be Forgotten’ in Big Data Practice. SCRIPT, vol. 8, no. 3, pp. 229-256.

  7. Korenhof P. (2013) Forgetting Bits and Pieces: An Exploration of the ‘Right to Be Forgotten’ as Implementation of ‘Forgetting’ in Online Memory Processes. Tilburg Law School Law and Technology Working Paper No. 4 /2013.

  8. Kuner C. (2014) Court of Justice of the EU Judgment on Data Protection and Internet Search Engines. London School of Economics Legal Studies Working Paper No. 3/2015.

  9. Mantelero A. (2013) EU Proposal for a General Data Protection Regulation and Roots of the ‘Right to Be Forgotten’. Computer Law & Security Review, vol. 29, issue 3, pp. 229-235.

  10. McNealy J. (2012) The Emerging Conflict between Newsworthiness and the Right to Be Forgotten. Northern Kentucky Law Review, vol. 39, no. 2, pp. 119-135.

  11. Rustad M. and Kulevska S. (2015) Reconceptualizing the Right to Be Forgotten to Enable Transatlantic Data Flow. Harvard Journal of Law and Technology, vol. 28, p. 349.

  12. Shoor E. (2014) Narrowing the Right to Be Forgotten: Why the European Union Needs to Amend the Proposed Data Protection Regulation. Brooklyn Journal of International Law, vol. 39, no.1, p. 108.

  13. Van Alsenoy B. and Koekkoek M. (2015) Extra-Territorial Reach of the EU’s Right to Be Forgotten. ICRI Research Paper 20.

  14. Victor J. (2013) The EU General Data Protection Regulation: Toward a Property Regime for Protecting Data Privacy. Yale Law Journal, vol. 123, p. 513.

  15. Walker R. (2012) The Right to be Forgotten. Hastings Law Journal, vol. 64, p. 257.