Following the ratification of the AU Convention on Cyber Security and Personal Data Protection adopted at Malabo, Equatorial Guinea on June 27, 2014, Rwanda is the first East African nation to enshrine the ‘right to be forgotten’ stemming from the Convention.
Rwanda is, equally, among a handful of African States that have accommodated this novel right.
Prior to diving deeper into the right to be forgotten, this column has a twofold question: What’s the right to be forgotten? And how’s it relevant to Rwandans?
To begin with, existing pieces of legislation are short of accommodating the right to be forgotten. So, the ratification of the AU Convention is fundamentally important, especially in the digital eternity era.
Though the ‘right to be forgotten’ isn’t defined under the aforesaid AU Convention, its definitional elements can be inferred from the EU-General Data Protection Regulation (GDPR), which replaced EU-Data Protection Directive 95/46/EC.
Under Article 17 of the GDPR, the data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay, in the event, where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
In other words, the ‘right to be forgotten’ refers to the situation where a historical event should no longer be revitalised due to the length of time elapsed since its occurrence.
To put it in an ideal context, think back to the most horrible moment of your life. It could be a colossal mistake: something you’re really ashamed of. May be something terrible happened to you, and you don’t want to think about it ever again.
Now imagine that moment recorded, or recounted, or brought to light, and placed online. To some, you wouldn’t wish to imagine it; and to others, you feel like asking the ground to swallow you up, or feel like migrating to the heavenly bodies. Now, the internet is littered with the worst moments of people’s lives.
Once your bad experience goes online, it can have chilling effect on your life. Today, copying and sharing is increasingly easy, and the internet has an almost unlimited capacity to research and remember. David Lindsay rightly describes this as the problem of digital eternity.
Arguably, digital eternity is a problem because privacy matters. The right to be forgotten endows the data subject (data owner) to request the data controller or data processor to erase, or remove personal data if they’re no longer relevant to the purposes for which they were collected or otherwise processed.
As a matter of principle, the data subject has the right to withdraw his or her consent or objects to the processing or retention if it’s no longer serving its original purposes.
Back to the AU Convention, its Article 19, titled ‘Right to rectification or erasure’, stipulates that: "any natural person may demand that the data controller rectify, complete, update, block or erase, as the case may be, the personal data concerning him/her where such data are inaccurate, incomplete, equivocal or out of date, or whose collection, use, disclosure or storage are prohibited’.
The right to be forgotten particularly stems from Article 13 of the AU Convention, which spells out the basic principles governing the processing personal data. Principle 3, of the provision says ‘Principle of purpose, relevance and storage of processed personal data’.
It provides, among others things, data shall be kept for no longer than is necessary for the purposes of which the data were collected or further processed.
However, in striking a balance, the same principle states that beyond the required period, data may be stored only for the specific needs of data processing undertaken for historical, statistical or research purposes.
It’s noteworthy that the right to be forgotten is not absolute, and neither is the right to privacy. As such, the right to be forgotten must be balanced with other competing rights and interests, such as the right of access to information and data storage for the purposes of public interest. Such overriding legitimate interest would definitely set aside the right to be forgotten.
Interestingly, the right to be forgotten serves the right to privacy. It is widely accepted at least privacy is an essential thing. In Europe, for example, which is more advanced in protecting the right to be forgotten, such a right is solidly protected.
The right to be forgotten was reaffirmed in a famous case of a Spanish citizen, Mario Costeja González, against ‘Google Spain’ and the ‘American Google Inc.’ In this particular case, entertained by Court of Justice of the European Union (CJEU) where it ordered Google Spain or Google Inc. to remove links of personal data of Mario Costeja González from Google’s search results or indexes that were no longer relevant or outdated.
The right to be forgotten endows the data subject to request the data controller or processor to remove personal data if it’s no longer relevant to the purposes of collecting or processing.
The writer is a law expert.
The views expressed in this article are of the author.