INmagazine Sayı 11 - Page 49

on on personal data violations. Google, as a data controller, has already been abiding by Article 12 of the Directive 95/46/EC and removing personal data content accordingly. Once the GDPR co- mes into force, search engines will once again be the most prominent party to all disputes. Additionally, companies who process personal data for marketing purposes will also have to abide by the regulation. As long as they process the personal data of data subjects who are citizens of EU Member States. SANCTIONS IN GDPR The companies who fail to secure the rights of the data subjects and violate their rights will face costly charges. As outlined in Article 83 (4) of the GDPR, if the cause of the infringement, or in other words non-compliance, is found to be regarding the controller or the processor, the certification body or mo- nitoring body, the administrative fine could be up to 10,000,000 EUR or 2% of worldwide turnover. Similarly, ac- cording to paragraph (5) of the same Article, Data protection authorities will have the right to impose fines of up to 20,000,000 EUR or 4% of the annual worldwide turnover of the company, if the regulations core principles are vio- lated. These include the processing of the data, the rights of the data subject and obligations pursuant to Member State law (1). Additionally, The EU com- mission, reversed the burden of proof with the GDPR. Individuals will no lon- ger have to prove why they need the personal data removed but instead, the companies will have to prove that the data cannot be deleted because it’s still relevant and necessary (2). RIGHT TO BE FORGOTTEN VS. FREEDOM OF EXPRESSION Discussions about how the right to era- sure may undermine freedom of expres- sion and access to information is taking place all over the globe. It has been ar- gued that deleting certain news links about certain people, may be giving criminals a blank slate and setting them free from the burden of their past mis- haps. Whether this is a positive aspect IT IS PREDOMINANTLY CLEAR THAT THE GDPR HAS PROVIDED A PROFOUND GROUNDWORK FOR HOW THE RIGHT TO ERASURE CAN BE EXERCISED. THE RIGHTS OF THE DATA SUBJECT HAVE BEEN GUARDED AGAINST POTENTIAL PROBLEMS ARISING AFTER THE DATA HAS BEEN OBTAINED. or not is a controversial topic and cur- rently debated around the world. In a case concerning the removal of personal data from a search engine, the European Court of Justice held that ‘the right to be forgotten is not absolute but will always need to be balanced against other rights, such as the freedom of exp- ression and the rights of the media’ (3). In this case (c-131/12), a Spanish law- yer, Mario Costeja Gonzales, requested that news about the foreclosure on his house be removed from the website of a local newspaper. Years had passed since the tim e of the hardship he had encoun- tered and he had eventually managed to turn his life around. However, the news about his economic adversity had re- mained on the internet and popped up every time he typed his name into the search engine. Now that the content of the news was irrelevant and inaccura- te, Mr. Gonzales wanted the links to be removed. The court made the decision to grant Mr. Gonzales the right to erasu- re and ultimately laid the basis for the right to be forgotten (4). Ever since this decision, there have been numerous discussions about how this right will be balanced against other fundamental rights. The freedom of expression under Article 10 of the European Conventi- on on Human Rights, isn’t an absolute right. The enforcement of this right ne- eds to be weighed against other rights concerning the privacy of individuals. As a result, the European Court of Justi- ce has ruled that all disputes concerning the issue of personal data erasure, sho- uld be dealt with on a case by case basis (5). This will allow the court to make well-balanced decisions, since they’ll be reviewing every case based on its indi- vidual merits. Article 17 (3) of GDPR on the other hand, specifically mentions the circumstances in which Article 17 (1) and Article 17 (2) will not be enforceable. If processing of personal data is necessary for certain reasons, the data subject will not be able to invoke his or her rights identified un- der Article 17 (1) and 17 (2). The reasons which override the right to erasure include the exercising of the right of freedom of expression and in- formation, for compliance with a legal obligation, for reasons of public interest in the area of public health, for achie- ving purposes in the public interest, sci- entific or historical research purposes or statistical purposes and finally for the establishment, exercise or defence of legal claims. The balance aspect of the right is defined under this parag- raph. The European Council has written an evidently clear regulation which has set guidelines for the right. Both the re- asons for when an individual can and reasons for when an individual can’t in- voke his or her right to be forgotten is spelled out distinctly, leaving little room for confusion. TURKISH DATA PROTECTION LAW (TDPL) After years of debate and waiting The Turkish Data Protection Law (no 6698 and originally named “Kişisel Verilerin Korunması Kanunu”) has published in Official Gazette in 07.04.2016. The right to erasure, which has also been cited as the ‘right to be forgotten’ also exists in a similar manner under the TPDL. Article 7 of the law, renders it possible for the data subject to request the data controller to ‘erase’, ‘destroy’ or make the personal data ‘anonymo- us’. Be that as it may, the vagueness of this particular article is an invitation to potential problems arising with regards to the right. TDPL only seems to allow the invoking of this right if the reasons for processing the data have become redundant or if the data was attained unlawfully. Regardless, the right to be forgotten isn’t an absolute right and is dependent on the specific situation of the data subject and the nature of the obtained data. 47