INmagazine Sayı 11 - Page 48

ARTICLE The ‘Right to Be Forgotten’: A Comparison Between Directive 95/46/EC vs. GDPR vs. Turkish Data Protection Law Authors: Altuğ ÖZGÜN & Süneyye ZEYREK 46 In Greek Mythology the river “Lethe” has a significant standing. Lethe was the underworld river of oblivion. A mere drop from the river can make someone begin to forget their whole identity. In today’s social media world where nearly every life is lived online, data protection legislations also enable and define the right to be forgotten as not a myth but a real designated right to every individual. Right for privacy or private life arose in the European continent with the European Convention on Human Rights in 1950, with Article 8 for Right to respect for private and family life. With the improvements in technology and data transfers; Data Privacy rights have emerged under the right for privacy as a new evolving issue which deals to utilize data while protecting individual’s privacy preferences and their personally identifiable information. The European Commission has dedicated immense time and effort into creating a legislation which boasts a solid protection of personal data against potential violations, while imposing precautions in order to ensure the protection of fundamental rights. Since the Directive 95/46/EC (Directive), the main objective of all legislation pertaining to the protection of personal data, has been a struggle of balancing fundamental rights, against rights depending on the circulation of information. In doing so, they’ve introduced preventative measures for foreseeable violations. The current Directive, the upcoming General Data Protection Regulation (GDPR) and the Turkish Data Protection Law (TDPL) are all established on identical principles. Granted that the implementation and practicality of all legislations differ once reviewed in depth. The right to be forgotten exists among these laws but the extent of the application of the right varies. DIRECTIVE 95/46/EC Article 12 of the Directive allows the ‘right of access’. In specific terms, Article 12 provides that ‘Member States shall guarantee the data subject the right to obtain from the controller’ and continues to specify the methods of how to do so. Article 12 (b) clarifies that the data subject has the right to rectification, erasure or the blocking of personal data if the data is based on an inaccurate or incomplete nature. In other words, the data subject is entitled to request the erasure of personal data regarding him or her, if the data is no longer necessary or irrelevant. GENERAL DATA PROTECTION REGULATION (GDPR) Not unlike the Directive, the GDPR, published in April 2016 and coming into effect in May 2018, provides a right to erasure of personal data. When the GDPR comes into practice it will repeal the Directive. This may possibly be the reason why the GDPR is constructed in a well-defined manner as opposed to the Directive. Although, the Directive had already laid down the right to be forgotten as a principle, the GDPR, undoubtedly, has given the principle flesh and bones. According to Article 17 (1) of the regulation, ‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay’. The article continues with a list of specific circumstances for when the data subject can invoke his or her right. These include; if the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or if the data subject withdraws consent on which the processing is based. It is predominantly clear that the GDPR has provided a profound groundwork for how the right to erasure can be exercised. The rights of the data subject have been guarded against potential problems arising after the data has been obtained. Article 17 (2) of the GDPR specifies that the data controller who has made the personal data public, should take reasonable steps, including technical measures to erase the data upon request of the data subject. Ergo, if the data subject has been granted the right to erasure under Article 17 (1), the data controller should do everything, including notifying all involved controllers, to make sure the data is erased from all sources along with ‘any links to, or copy or replication of, those personal data’. SCOPE OF GDPR The GDPR has a universal application. According to Article 3, the territorial scope of the regulation goes as far as to include ‘the processing of personal data in context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not’. According to the scope of the GDPR, companies established outside the EU will still be bound by the regulation, granted that they offer goods or services, irrespective of whether the data subjects are required to make a payment or not, to EU member citizens. Article 3 has set the foundation for multinational interventi- A R T I CL E The ‘Right to Be Forgotten’: A Comparison Between Directive 95/46/EC vs. GDPR vs. Turkish Data Protection Law Authors: Altuğ ÖZGÜN & Süneyye ZEYREK 46 I n Greek Mythology the river “Lethe” has a significant stan- ding. Lethe was the underworld river of oblivion. A mere drop from the river can make some- one begin to forget their whole identity. In today’s social media world where nearly every life is lived online, data protection legislations also enable and define the right to be forgotten as not a myth but a real designated right to every individual. Right for privacy or private life arose in the European continent with the Euro- pean Convention on Human Rights in 1950, with Article 8 for Right to res- pect for private and family life. With the improvements in technology and data transfers; Data Privacy rights have emerged under the right for privacy as a new evolving issue which deals to uti- lize data while protecting individual’s privacy preferences and their perso- nally identifiable information. The European Commission has dedica- ted immense time and effort into crea- ting a legislation which boasts a solid protection of personal data against po- tential violations, while imposing preca- utions in order to ensure the protection of fundamental rights. Since the Direc- tive 95/46/EC (Directive), the main ob- jective of all legislation pertaining to the protection of personal data, has been a struggle of balancing fundamental rights, against rights depending on the circulation of information. In doing so, they’ve introduced preventative measu- res for foreseeable violations. The cur- rent Directive, the upcoming General Data Protection Regulation (GDPR) and the Turkish Data Protection Law (TDPL) are all established on identical principles. Granted that the implemen- tation and practicality of all legislations differ once reviewed in depth. The right to be forgotten exists among th ͔)ЁѡѕЁѡѥѡ)ɥЁمɥ̸)%I Q%YԼؽ )ѥȁѡɕѥٔ́ѡ+aɥЁϊd%ѕɵ̰ѥ)ȁɽ٥́ѡЃa5ȁMхѕ́͡)ՅɅѕѡфՉЁѡɥЁѼ)хɽѡɽˊdѥԴ)́Ѽѡѡ́܁Ѽ)ͼѥȀɥ́ѡЁѡф)ՉЁ́ѡɥЁѼɕѥѥ)Ʌɔȁѡͽф)ѡф͕́Ʌє)єɔ%ѡȁݽɑ̰ѡ)фՉЁ́ѥѱѼɕՕЁѡ)Ʌɔͽфɕɑ)ȁȰѡф́ȁͅ)ȁɕمи)9I0QAI=Q Q%=8)IU1Q%=8AH)9ЁչѡɕѥٔѡAHՈ)͡ɥ؁Ѽ)Ё5ఁɽ٥́ɥ)ѼɅɔͽф]ѡ)AH́ѼɅѥЁݥɕ)ѡɕѥٔQ́ͥ䁉ѡ)ɕͽݡѡAH́Սѕ)ݕȁ͕́Ѽѡ)ɕѥٔѡ՝ѡɕѥٔ)ɕ䁱ݸѡɥЁѼɝд)ѕ́ɥѡAHչՈ)ѕ䰁ٕ́ѡɥ͠)̸ɑѼѥ܀Ĥѡ)ɕձѥaQфՉЁٔ͡)ѡɥЁѼхɽѡɽ)ѡɅɔͽфɹ)ȁȁݥѡЁչՔ䁅)ѡɽȁٔ͡ѡѥ)ѼɅ͔ͽфݥѡЁչՔ)dQѥѥՕ́ݥѠ)ɍյх́ȁݡѡ)фՉЁٽ́ȁȁɥи)Q͔Ց쁥ѡͽф́)ȁͅ䁥ɕѥѼѡȴ)͕́ȁݡѡݕɔѕ)ѡݥ͔ɽ͕ȁѡфՈ)ЁݥѡɅ͕́Ёݡѡ)ɽ͕ͥ́)%Ё́ɕѱ䁍ȁѡЁѡAH)́ɽ٥ɽչɽչݽɬ)ȁ܁ѡɥЁѼɅɔȴ)͕Qɥ́ѡфՉЁٔ)ՅɑЁѕѥɽ)́ɥͥѕȁѡф́)х)ѥ܀ȤѡAH́ѡ)ѡфɽȁݡ́ѡ)ͽфՉ͡ձхɕ)ͽѕ̰Ցѕ)ɕ́ѼɅ͔ѡфɕՕЁ)ѡфՉиɝѡфՉ)́ɅѕѡɥЁѼɅɔ)չȁѥ܀Ĥѡфɽ)ȁ͡ձٕѡՑ)ѥ她ٽٕɽ̰Ѽ)ɔѡф́Ʌ͕ɽͽɍ)ݥѠa䁱́Ѽȁ䁽ȁɕ)ѥѡ͔ͽчd)M =A=AH)QAH́չٕͅѥ)ɑѼѥ̰ѡѕɥѽɥ)͍ѡɕձѥ́́ȁ́Ѽ)Ցaѡɽͥͽф)ѕЁѡѥ٥ѥ́х͠)Ёɽȁȁɽͽȁѡ)Uɕɑ́ݡѡȁѡɽ̴)ͥх́ѡUȁӊd)ɑѼѡ͍ѡAH)́хͥ͡ѡTݥ)ѥչѡɕձѥɅѕ)ѡЁѡ䁽ȁ́ȁ͕٥̰ɕ̴)ѥٔݡѡȁѡфՉ́ɔ)ɕեɕѼ嵕ЁȁаѼ)Tȁѥ镹̸ѥ͕́́Ёѡ)չѥȁձѥѥѕٕѤ