The ʻRight to be Forgottenʼ beyond the EU: An Analysis of Wider G20 Regulatory Action and Potential Next Steps David Erdos Faculty of Law and Trinity Hall, University of Cambridge It has been increasingly asserted that data protection can and should enable individuals to exert some control at least ex post over online data dissemination. Notwithstanding contrary suggestions, therefore, the ʻright to be forgottenʼ is not solely an EU phenomenon. Post-2014 the majority of the eight national DPAs operating in non-EU G20 jurisdictions with established data protection legislation have sought to implement such a right through guidance and, in three cases, also enforcement. These jurisdictions span three regions and encompass jurisdictions such as Australia and Canada with a similar outlook to the EU. In light of the profoundly globalised nature of the internet, greater transnational coordination would be valuable. Whilst the G20 is itself ill-suited to this task, the pan-regional Data Protection Convention framework overseen by the Council of Europe as well as the Global Privacy Assembly could play an important role. Keywords: data protection, internet governance, right of erasure, reputation, search engines Introduction The handing down of Google Spain by the Court of Justice of the EU (CJEU) in 2014 and the finalisation of the General Data Protection Regulation (GDPR) with its explicit language on the ʻright to be forgottenʼ online has prompted significant and continuing, even if patchy, regulatory intervention in this area across many parts of the EU. Indeed, following on from original guidance produced by the Article 29 Working Party in 2014,[footnoteRef:2] in July 2020 the European Data Protection Board (EDPB) adopted formal guidelines on scope and structure of the right to be forgotten applicable to search engines and reiterated that it was continuing work to finalise more general guidance on Article 17 of the GDPR,[footnoteRef:3] the part of that instrument which is specifically badged as the “right to erasure (ʻright to be forgottenʼ)”. A number of recent enforcement actions especially targeted at Google have also either recently been launched or have been finalised at national level. For example, in June 2019 the Italian Data Protection Authority (DPA) upheld an individual claim to delinking on Google which extended beyond name-based searches to also encompass referencing on the basis of a job title.[footnoteRef:4] Meanwhile, in March 2020 the Swedish DPA fined Google 75 million kroner (approximately €7m) for alleged failings in relation to the right to be forgotten including, most notably, its continuing practice of unsafeguarded notification of the original webmaster of the material delinked under this right.[footnoteRef:5] In contrast, not only the potential online role of the ʻright to be forgottenʼ in data protection law but also the stance of data regulators continues to be far less visible outside the EU context. This is rather surprising since “the increase in threats and content issues for individuals in the online environment” are “causing problems for children, teenagers and adults worldwide, not merely those in the EU”.[footnoteRef:6] The limits of the EU itself seeking to unilaterally ensure the right to be forgotten globally have also become increasingly apparent, both at a regulatory and strictly legal level. Thus, EU DPAs indicated as early as 2014 that they would “focus” on right to be forgotten claims against search engines (only) where there was “a clear link between the data subject and the EU, for instance where the data subject is a citizen or a resident of an EU Member State”.[footnoteRef:7] Meanwhile, in Google v CNIL (2019) the CJEU rejected the French DPA’s claim that a global operator such as Google was systematically obliged to apply the EU’s version of the ʻright to be forgottenʼ across its services worldwide; moreover, although the Court found that EU regulators could order such as result in specific cases as guided by their own national standards, it remains unclear how effectively this will or even can be applied in practice. [2: Article 29 Working Party, Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/121 (2014), https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf.] [3: European Data Protection Board, Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engine cases under the GDPR (part 1) Version 2.0 (2020), https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation_en.pdf, p. 4.] [4: Italy, Garante per la Protezione dei Dati Personali, Provvedimento del 20 giugno 2019 [9124401], https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9124401.] [5: Sweden, Datainspektionen, The Swedish Data Protection Authority imposes administrative fine on Google (2020), https://www.datainspektionen.se/nyheter/the-swedish-data-protection-authority-imposes-administrative-fine-on-google/. In November 2011 the Swedish Administrative Court upheld the Swedish DPA on this crucial point, although as a result of other parts of its ruling it reduced the overall fine to 52m kroner (approximately €5m). See Förvaltningsrätten i Stockholms [Stockholm Administrative Court] 2020 case no. 7565-20. This case is currently under appeal.] [6: Paul Lambert, The Right to be Forgotten (Bloomsbury, 2019), p. 15.] [7: Article 29 Working Party, Guidelines on the Implementation of the Court of Justice of the European Union Judgment on ‘Google Spain and Inc v. Agencia Española de Protección de Datos (AEDP) and Mario Costeja González’ C-131/12 (2014), https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf, 8.] Given this, it is vital to explore the ʻright to be forgottenʼ not just within, but also beyond, the EU. This has been a task which I have pursued at increasing levels of granularity with Krzysztof Garstka. Focusing especially on case of search engines, in 2017 we analysed data protection instruments adopted by African Union (AU), Asia-Pacific Economic Cooperation (APEC), the Association of Southeast Asian Nations (ASEAN), the Council of Europe, the Economic Community of West African States (ECOWAS) and the Organisation for Economic Cooperation and Development (OECD).[footnoteRef:8] We found that, whilst lacking any specific nomenclature, all except the ASEAN instrument provided structural support for an overarching ʻright to be forgottenʼ online and even the one adopted by ASEAN did so as regards inaccurate or incomplete data. In 2020 we went beyond these generally non-self-executing transnational instruments by examining the statutory data protection frameworks as adopted within individual G20 jurisdictions. We found that fifteen out of the nineteen G20 States now had data protection laws that could in principle empower individuals to challenge the continued dissemination of personal data online not just where inaccurate but also on wider legitimacy grounds. Our analysis at the national level enabled us to look at provisions that are directly effective. Moreover, the focus on the G20 was grounded not only in reasons of practicality but also in the dominant role these countries play in global society and economy including online. Nevertheless, both studies were limited to the formal legal level and, thereby, excluded any analysis of practical efforts to implement a right to be forgotten. This gap may be significant since it has been widely suggested that the spread of theoretical right to be forgotten remedies may not tally with a genuine normative commitment which might lead to active implementation.[footnoteRef:9] [8: Krzysztof Garstka and David Erdos, ‘Hiding in Plain Sight: The “Right to be Forgotten” and Search Engines in the Context of International Data Protection Frameworks’ in Luca Belli and Nicolo Zingales (eds), Platform Regulations: How Platforms are Regulated and How They are Regulating Us (FGV Direito Rio 2017). ] [9: See Gregory Voss and Céline Castets-Renard, ‘Proposal for an International Taxonomy on the Various Forms of the “Right to be Forgotten”: A Study on the Convergence of Norms’ (2015) 14 Colorado Technology Law Journal 281, 342.] This article, therefore, seeks to explore this question of implementation by examining the relevant guidance and enforcement efforts by supervisory Data Protection Authorities (DPAs) within the G20 but outside the EU. Given that data subjects may generally also have recourse to the ordinary courts, DPA activity does not represent the only way of seeking to ensure that data protection is practically applied. However, whilst any claim that “without the agency, there is no data protection”[footnoteRef:10] would be overstated, DPAs are generally accorded a crucial place within the data protection ecosystem and are able to play a considerably greater catalytic role than most other actors. They also seek to exert a standard-setting role transnationally through the Global Privacy Assembly (formerly the International Conference of Data Protection and Privacy Commissioners), as well as in regional fora such as the European Conference of Data Protection Authorities. Indeed, within the EU, these powerful roles have been epitomised by the successful efforts of the Spanish DPA to apply right to be forgotten duties to search engines in Google Spain (2014) and the continued centrality of national DPAs, as well as the unifying group of the EDPB, in elucidating and policing such duties subsequently. [10: Peter Blume and Christian Svanberg, ʻThe Proposed Data Protection Regulation: The Illusion of Harmonisation, the Private/Public Divide and the Bureaucratic Apparatusʼ (2013) 15 CYELS 27, 40.] The broader G20 analysis, which was undertaken in mid-2020, revealed significant growing interest in these issues within what remained a very complex landscape. To begin with, although 15 out of the 19 G20 jurisdictions have enacted data protection law, seven of these fell outside of the core analysis. Four (France, Germany, Italy and the UK[footnoteRef:11]) were subject to EU law. In a further two States (Brazil and South Africa) data protection legislation was on the statute book but had yet to come into force and in one jurisdiction (Indonesia) the law did not made any provision for a DPA. Turning to the remaining eight cases, many published at least general guidance that in principle could be interpreted as leading to right to be forgotten concerns being actionable under data protection. Half (Australia, Canada, Russia and Turkey) went considerably further and published specific guidance on how individuals might take action as regards the problematic dissemination of personal information under data protection. At least as regards organisational operators, this guidance was generally broad in scope, although in the case of Australia it focused principally on social media platforms rather than on search engines. With the exception also of Australia, these DPAs were additionally found to have undertaken relevant enforcement activity, although the extent and depth of this varied considerably. [11: Although the UK technically left the EU on 31 January 2020, the transition arrangements made it subject to EU law throughout the rest of 2020. Given this, the analysis presented in this article treated the UK as a de facto EU State.] That, in addition to significant EU activity, half of the established national DPAs within the wider G20 have sought to implement a right to be forgotten highlights significant although patchy interest here. The jurisdictions within which these regulators operate are geographically and jurisprudentially diverse and span not only the wider European area, but also the Asia-Pacific and the Americas. There have been concerns that at least the Russia DPA could be implicated in a policy of “networked authoritarianism”[footnoteRef:12] which deploys general tools of internet governance in order to stifle democratic rights and dissent. On the other hand, it is clear that at least Australian and Canadian data regulation is rooted in a similar outlook to that of the EU, namely, the imperative to balance human rights linked to the free flow of data with those such as privacy and reputation that require restraints. It would, therefore, be valuable to consider whether there is potential for international action beyond the EU to promote greater coordination in this area. Recently, the G20 itself has joined the OECD and the Council of Europe in launching initiatives designed to secure broad global agreement on data protection issues. However, its highly informal nature makes it ill-suited to coordinating the detailed and sensitive issues which arise in relation to the right to be forgotten. Recent OECD action on data protection has been similarly limited and high-level. In some contrast, the Council of Europe has not only continued to sponsor the sole Data Protection Convention open to States worldwide, but the Convention’s Consultative Committee has facilitated the development of related guidelines on a range of topical issues over recent years. Alongside a wide spectrum of other State and non-State actors, this Committee brings together eight G20 States as full members and a further seven as observers. Since the Convention itself conceptually supports a version of the ʻright to be forgottenʼ,[footnoteRef:13] this Committee would be well placed to help formulate common core understanding of norms and modalities here. Whilst bringing together most DPAs from all five continents, the Global Privacy Assembly (GPA) continues to lack any similar common instrument of even ‘soft’ law status. Nevertheless, it could also help ensure further deliberation on these issues and facilitate practical enforcement cooperation amongst like-minded regulators. [12: Nathalie Maréchal, ‘Networked Authoritarianism and the Geopolitics of Information: Understanding Russian Internet Policy’ (2017) 5 Media and Communication 29, 36.] [13: Garstka and Erdos (2017) (supra note 7).] The rest of this article is divided into five further sections. The first sets out relevant background by explicating the concept of the ʻright to be forgottenʼ, the experience of the EU in this regard and, drawing largely on previous work, the extent to which statutory data protection within the G20 also instantiates this concept and grants a role to DPAs in implementing this. The next two sections elucidates the core findings of the article, with section two examining regulatory guidance and section three, regulatory enforcement. The fourth section then engages in further analysis, comparing the patterns revealed at a regulatory level with the previous statutory analysis, considering how this area may relate to broader orientations on internet governance and finally examining how a wider and more interoperable ʻright to be forgottenʼ framework might be fruitfully promoted transnationally in the future. A final conclusion follows. The Right to be Forgotten, G20 Statutory Laws and EU Action: Delineating the ‘Right to be Forgotten’: Notwithstanding its now extensive deployment within online governance discussions, the ʻright to be forgottenʼ remains an unclear and even contested concept in a legal context. Indeed, this term is only explicitly recognised in one of the world’s data protection instruments, namely, the EU’s General Data Protection Regulation (GDPR) 2016/679 which labels article 17 as the “right to be erasure (ʻright to be forgottenʼ)”. Seen from a highly formalistic vantage point, it could therefore be argued that this right is only recognised by countries subject to the GDPR and that it has whatever meaning is ascribed to it within that instrument. For example, Jeffrey Rosen’s seminal article produced when the GDPR was first put forward in 2012 began with the bald statement that: At the end of January, the European Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, announced the European Commission’s proposal to create a sweeping new privacy right – the “right to be forgotten.” This right, which has been holtly debated in Europe for the past few years, has finally been codified as part of a broad new proposed data protection regulation.[footnoteRef:14] [14: Jeffrey Rosen, ʻThe Right to be Forgottenʼ (2011-12) 64 Stan. L. Rev. Online 88, 88.] Nevertheless, the fact that, even within the final GDPR text, this language was ultimately only added in ellipses to a long-standing right, namely the right of erasure, immediately highlights the challenges of such an approach. Indeed, compared to the cognate provision in Data Protection Directive (DPD) 95/46,[footnoteRef:15] the GDPR’s precursor, the only addition is a specific duty placed on those subject to a bona fide right to erasure who have also made the relevant personal data public to “take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”.[footnoteRef:16] It is clear that, rather than being truly autonomous, this addition seeks to grant further weight to the existing right to erasure when data have been subject to principally online[footnoteRef:17] dissemination. Moreover, it is notable that even before the GDPR was agreed, the Court of Justice of the EU (CJEU) in Google Spain (2014) had explicitly grappled with the idea of a “right to be forgotten”[footnoteRef:18] when upholding the ability of individuals to challenge the indexing by search engines of publicly-available personal data relating to them. That holding was grounded in no less than three rights which existed even under the DPD, namely, the right to have personal data rectified where inaccurate,[footnoteRef:19] the right to have otherwise illegally processed data erased,[footnoteRef:20] and the right to object to processing on compelling personal grounds.[footnoteRef:21] Indeed, whilst lacking the high profile of Google Spain, linkages between data protection and a right to oblivion or to be forgotten can be traced back many decades in Europe. For example, a déliberation from the French DPA in 2001 argued that the framework as implemented in France included a “droit à l’oubli” of such strength that given online realities (including, most notably, search engines) it was necessary in most circumstances to ensure that jurisprudential information was (pseudo)anonymized prior to its publication on the open internet.[footnoteRef:22] Yet further back, the Norwegian Data Protection Commissioner claimed as early as the mid-1980s that it was critical for data protection to address “to what extent it is possible to give persons fair and necessary access to what personal information is reported about them through data banks of press information, and how far is there a chance that wrong and misleading information could be corrected and adjusted in ways that prevent harm occurring”.[footnoteRef:23] [15: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, art. 12(b).] [16: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art. 17(2).] [17: This focus is particularly apparent in a linked provision which requires the European Data Protection Board to “issue guidelines, recommendations and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2)” (GDPR, art. 70(1)(d)).] [18: C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, EU:C:2014:317 at [91].] [19: DPD, art. 12(b).] [20: Ibid, art. 12(b).] [21: Ibid, art. 14.] [22: See Commission Nationale de l’Informatique et des Libertés, Délibération portant recommandation sur la diffusion de données personnelles sur internet par les banques de données de jurisprudence, https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000017653503/.] [23: Helge Seip, “The Individual in the Age of Telematics”, Transnational Data Report (1983), 363.] In light of the above, a conceptual as opposed to formalistic understanding of the ʻright to be forgottenʼ is clearly imperative. The commonality in the examples above is an understanding that data protection can and should enable individuals, especially in the context of online dissemination, to restrict access or otherwise exercise at least ex post control over personal data (with a view to preventing actual or potential harm), provided that there are no legitimate and overriding reasons to oppose such restriction or control. Such a broad understanding has already been successfully deployed in a linked study of the relationship between this right and statutory data protection provisions within the G20 and will, therefore, also be used in this regulatory context. It is important to stress in this regard that, although the reasons opposing restriction or control can even include the legitimate interests of a purely commercially orientated organisation, the exercise of freedom of expression including its sub-right the freedom of information must be accorded particularly strong weight in this regard. Indeed, in two recent cases following on from Google Spain the CJEU recognised the tension between conflicting rights here and stressed that “the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.[footnoteRef:24] In sum, therefore, the right to be forgotten as thus laid out recognises and seeks to integrate tensions with other rights including to freedom of expression but does not see these rights as inherently inconsistent with data protection playing a role in policing the dissemination of personal information online. [24: C-507/17 Google LLC, successor in law to Google Inc. v Commission nationale de l'informatique et des libertés (CNIL), EU:C:2019:772 at [60]. See similarly C-136/17 GC and Others v Commission nationale de l'informatique et des libertés (CNIL), EU:C:2019:773 at [57].] The Right to be Forgotten within G20 Statutory Data Protection: Previous research published with Krzysztof Garstka systematically examined the extent to which statutory data protection within the G20 instantiated a right to be forgotten as conceptualized above.[footnoteRef:25] Table One summarises its findings. It also includes additional information on the presence or absence of a regulatory DPA within these countries and also on their involvement in extra-regional transnational institutions active in the data protection field, namely, the Council of Europe’s Data Protection Convention (DPC), the Global Privacy Assembly (GPA) and the Organisation for Economic Co-operation and Development (OECD). These additions relate to this article’s own concern with regulatory implementation and transnational coordination and will be referred to in subsequent sections. [25: David Erdos and Krzysztof Garstka, ‘The “right to be forgotten” online within G20 statutory data protection frameworks’ (2020) 10 International Data Privacy Law 294. ] As can be seen from this table, comprehensive statutory data protection was found in 15 out of the 19 (or approximately 80%) of G20 States. Data protection law was defined in line with Greenleaf’s understanding of a ʻdata privacy lawʼ,[footnoteRef:26] with the stipulation of comprehensive additionally requiring that most handling of personal data by both the public sector and at least the commercial private sector fell within its scope. In one case (Indonesia), however, the law did not provide for a DPA and in two more (Brazil and South Africa), the statutory provisions were still to come into effect when initial data collection took place (in June 2020).[footnoteRef:27] In addition, in four of these cases (France, Germany, Italy and the UK[footnoteRef:28]) the law applicable was the GDPR and associated EU legislation. All except two of these 15 laws set out an exemption for personal activity by individuals and the same number included deep carve-outs for free speech. However, the personal exemption was generally narrowly defined so as to exclude impactful general dissemination of data and, with the exception of Turkey,[footnoteRef:29] the free speech carve-outs were limited to special types of expressive activity such as journalism and, in certain cases, also academic, artistic and/or literary expression. In approximately half of the laws, these carve-outs were also restricted by some kind of public interest test or even a more structured and restrictive reconciliation between such special expression and default data protection provisions.[footnoteRef:30] A minority of State laws included other potentially significant limitations in scope variously removing small businesses (Australia) or the non-commercial private sector (Canada (as regards federal legislation),[footnoteRef:31] Japan, Korea) from the law’s ambit and/or requiring that even electronic data be systematically organised in order to fall within the data protection framework (Argentina, Indonesia, Japan and Korea). Turning to look at the general provisions in the law, it was found that all 15 G20 States had provisions which set out a subjective right to rectify inaccurate data and 14 provided a similar right to suppress or erase personal data whose continuing general dissemination might otherwise lack legitimacy.[footnoteRef:32] The only exception here was Canada which nevertheless did establish a presumption that the “knowledge and consent” of the individual would be obtained for personal data handling except where this was “inappropriate”.[footnoteRef:33] Finally, ten out of these 15 States set out certain statutory liability shields for online intermediaries hosting content that could potentially help justify limiting the data protection responsibilities of certain online platforms disseminating personal data principally to ex post action. In the great majority of these States, these shields were restricted to situations where the operators had not been made aware of any illegality, but in two jurisdictions they extended either in all cases (Indonesia) or outside the area of sexual privacy (Brazil) to situations where the illegality had not been the subject of a specific judicial ruling. [26: This inductive definition holds that ʻa data privacy law must include as a minimum (i) access and correction rights (ʻindividual participationʻ), (ii) some ʻfinality’ principles (limited on use and disclosure based on the purpose of collection), (iii) some security protections; and (iv) overall, at least 11 of the 15 OECD/CoE principlesʼ as distilled from the OCED Privacy Guidelines 1980 and the Council of Europe Data Protection Convention 108. See Graham Greenleaf, ʻSheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories’ (2014) 23 (1) Journal of Law, Information & Science 1, 14] [27: The South Africa law finally came into force on 1 July 2020, but with regulatory enforcement through the DPA delayed until 1 July 2021 (Nerushka Bowman, After 7-year wait, South Africa’s Data Protection Act enters into force (1 July 2020), https://iapp.org/news/a/after-a-7-year-wait-south-africas-data-protection-act-enters-into-force/). Meanwhile, the Brazilian law came into force on 14 August 2018 but, again with regulatory enforcement delayed until 1 August 2020 (Aaron Tantleff, Stephanie Pierce and Steven Millendorf, Brazilian Government Makes the LGPD Effective Immediately (10 September 2020), https://www.mondaq.com/brazil/data-protection/984164/brazilian-government-makes-the-lgpd-effective-imminently.] [28: For the particular situation of the UK see supra note 10.] [29: Turkish law provided a broader carve-out not only “for the purposes of art, history, and literature or science” but also “within the scope of freedom of expression” but only “provided that national defence, national security, public order, economic safety, private or personal life or personal rights are not violated” (Turkey, Data Protection Law 2016, art. 28(1)(c)).] [30: In sum, whilst the Russian, French and Italian provisions set out structured and restricted tests, the South African, Turkish and UK provisions largely focused on an open-textured public interest analysis. A few of the States with essentially absolute free speech carve-outs also set out limited protection such as mandating the publication of a privacy policy (Australia) or requiring a striving to take necessary action to ensure the proper handling of personal data (Japan). In Canada, the province of Quebec uniquely sets out a very partial qualification providing that the exemption is only applicable as regards “material collections, held, used or communicated for the legitimate information of the public” (Quebec, Act Respecting the Protection of Personal Information in the Private Sector 1993, s. 1 (emphasis added)).] [31: Federal legislation is complemented in a minority of three out of the ten provinces (Alberta, British Columbia and Quebec) with local legislation which extends data protection into other areas of the private sector. See Alberta, Personal Information Protection Act 2003, s. 4; British Columbia, Personal Data Protection Act 2003, s. 3 and Quebec, Act Respecting the Protection of Personal Information in the Private Sector 1993, s. 1.] [32: Although, in Turkey such a right is peremptorily disabled where the information in question has been manifestly made public by the data subject themselves (Turkey, Data Protection Act 2016, art. 28(2)(b)).] [33: Canada, Personal Information Protection and Electronic Act, s 4(3).] Right to be Forgotten Outcomes within the EU and Further Questions It was striking that the statutory analysis summarised above did not find the data protection frameworks within the EU to be structurally peculiar, either as currently existing under the GDPR or as previously established under the erstwhile DPD. To the contrary, in common with the great majority of G20 States, the G20 EU countries provide a personal exemption,[footnoteRef:34] a journalistic/special expression limitation[footnoteRef:35] (which in the case of Germany is even essentially absolute in nature[footnoteRef:36]) and an intermediary shield regime that is at least arguably applicable to data protection.[footnoteRef:37] Moreover, in common with the previous analysis of Voss and Castets-Renard,[footnoteRef:38] almost all data protection laws were found to support a version of the right to be forgotten. Nevertheless, both before and after the coming into force of the GDPR, the right to be forgotten has generally been seen within data protection regulation as an EU preoccupation. Indeed, just such a reality has been strongly suggested by Voss and Castets-Renard: [34: GDPR, art. 2(2)(c); DPD, art. 3(2).] [35: GDPR, art. 85(2); DPD, art. 9.] [36: In Germany the journalistic activities of the press are generally entirely removed from the reach of data protection law. Meanwhile, telemedia activity is subject to only severely limited access and rectification duties and, in relation to the press, even this can be excluded when the media organisations concerned subject themselves to the self-regulatory procedures of the German Press Council. See Germany, Interstate Treaty on Broadcasting and Telemedia, ss 9c and 57.] [37: See GDPR, art. 2(4).] [38: Voss and Castets-Renard (2015) (supra note 8).] [I]t may be seen that Europe remains ahead of countries in other regions in the protection of personal data. This is even truer with the GDPR, which grants a subjective and arbitrary right to have one’s personal data deleted by information society service providers, which are the most data-consuming parties … Conversely, it is uncertain whether the arguable ‘economic opportunism’ that some countries may have shown, particularly in Asia or the U.S., in order to allow trade with Europe, reflects a real will to strongly protect individuals. The convergence of legal norms exists on the legal-instrument level but is certainly not as deep as it seems in its normative force.[footnoteRef:39] [39: Ibid, p. 342.] It is certainly true that in the wake of the CJEU’s Google Spain judgment, EU DPAs have engaged in significant activity here. Thus, although it is beyond the scope of this article to explore this comprehensively, it may be noted both the current EDPB[footnoteRef:40] and the former Article 29 Working Party[footnoteRef:41] have published relevant guidance at pan-European level. Many individual DPAs subject to EU law have also carried out concrete enforcement actions including those in the G20 States of France,[footnoteRef:42] Germany,[footnoteRef:43] Italy[footnoteRef:44] and the UK.[footnoteRef:45] What is less clear is whether similar engagement has been forthcoming from other leading DPAs internationally. Answering this question has significant implications for the future stability and evolution of the right to be forgotten. The rest of this article, therefore, examines the track-record of G20 DPAs outside the EU legal grouping and from this considers how the right to be forgotten might best be developed in a global context. [40: See European Data Protection Board (2020) (supra note 2).] [41: See Article 29 Working Party (2014) (supra note 6) and Opinion 5/2009 on Online Social Networking (2009), https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp163_en.pdf.] [42: The most notable action here involved, albeit substantially unsuccessful, attempts to ensure that search engines like Google were responsible for deindexing material not just against services accessible via European IP addresses but also globally. See Commission Nationale de l'Informatique et des Libertés, Droit Au Déréférencement: Le Conseil D’état Tire Les Conséquences Des Arrêts De La Cour De Justice De L’Union Européenne (2020), https://www.cnil.fr/fr/droit-au-dereferencement-le-conseil-detat-tire-les-consequences-des-arrets-de-la-cour-de-justice-de.] [43: Within the federal system of Germany, the Hamburg DPA has played a particularly significant role as a result of the establishment of Google within its territory. An analysis of its website indicated that it had intervened to ensure that Google proactively deindexed bankruptcy information made available systematically on certain dedicated websites and had also intervened before the German Constitutional Court in order to uphold a right to be forgotten against newspaper archives. See Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit, Keine Google-Links Mehr Zu Insolvenzdaten Auf Unzulässigen Gewerblichen Internetangeboten (2017), https://datenschutz-hamburg.de/pressemitteilungen/2017/08/google-insolvenz and Recht auf Vergessenwerden künftig auch gegenüber Online-Archiven (2019), https://datenschutz-hamburg.de/pressemitteilungen/2019/11/2019-11-28-recht-auf-vergessenwerden.] [44: The Italian DPA issued enforcement decisions in numerous right to be forgotten cases including one where it sought to require Google’s search engine to deindex material against a search including not only an individual’s name but also just their job details. See Garante Per La Protezione Dei Dati Personali (2019) (supra note 3).] [45: The UK DPA took formal enforcement action against Google to require it to deindex material relating to an individual’s spent criminal convictions that had been republished and then reindexed following notification by Google of the initial deindexing to the original journalistic publisher. See UK, Information Commissioner’s Office, Enforcement Notice to Google Inc (2015), https://ico.org.uk/media/about-the-ico/disclosure-log/2172633/irq0690864-attachment-5.pdf.] 1 Table One: Summary of G20 Statutory Data Protection Laws and the Right to be Forgotten Country (& relevant extra-regional transnational affiliations) DP Law & Regulation Personal Exemption Journalism/ Free Expression Exemption Other Major Scope Limitation Ex Post Inaccuracy Right Ex Post Legitimacy Right Statutory Intermediary Shield Argentina (DPC; GPA; OECD) Australia (DPC Observer; GPA, OECD) Brazil (DPC Observer) (on books) (limited re sexual privacy) Canada (DPC Observer; GPA; OECD) China - - - - France (DPC; GPA; OECD) (GDPR) (qualified) (limited) Germany (DPC; GPA; OECD) (GDPR) (limited) India (GPA Observer) - - - - - - Indonesia (DPC Observer) (no DPA) Italy (DPC; GPA; OECD) (GDPR) (qualified) (limited) Japan (DPC Observer; GPA; OECD) (limited) Korea (DPC Observer; OECD) (limited) Mexico (DPC; GPA; OECD) Russia (DPC; GPA Observer) (qualified) Saudi Arabia - - - - - - South Africa (GPA) (on books) (qualified) (limited) Turkey (DPC; GPA; OECD) (qualified) (limited) United States (DPC Observer; GPA; OCED) - - - - - - United Kingdom (DPC; GPA; OECD) (GDPR) (qualified) (limited) TOTALS 15 13 13 (6 qualified) 5 15 14 10 (8 limited) G20 DPA Guidance on the Right to be Forgotten Online outside the EU As previously mentioned, 15 out of the 19 G20 jurisdictions were found to have data protection legislation. However, four of these were subject to EU law, the data protection framework had yet to come into force in two more and in one further State no supervisory authority was established. This, therefore, left eight national DPAs[footnoteRef:46] to investigate. This investigation began by looking for relevant ʻguidanceʼ made available on these authorities’ websites. ʽGuidanceʼ was defined broadly to refer to any published pronouncement from a data regulator that had clear relevance to the right to be forgotten, even if this was not badged as advice or guidance as such. Most of the DPAs were found to have published material that in principle could be read to support a right to be forgotten when conceptually defined. For example, the Mexican DPA (the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) provided a general guide on how individuals could exercise their rights of rectification, cancellation and opposition, as well as that of access, under the law.[footnoteRef:47] The Argentinian DPA, which is styled somewhat misleadingly as the Agencia de Acceso a la Información Pública,[footnoteRef:48] combined similar guidance[footnoteRef:49] with material linked to ʻun proceso de reflexión sobre la necesidad de reformar la ley vigenteʼ (ʻa process of reflection on the need to reform the current lawʼ) which it had initiated from 2016. However, although the right to erasure was often explicitly referred to as the ʻderecho al olvidoʼ (ʻright to be forgottenʼ) by the DPA and others in these documents, this process otherwise highlighted significant controversy and disagreement in this area. The initial draft law produced in 2016 sought to expand the role of data protection law and regulation in its interaction with freedom of expression.[footnoteRef:50] A consultation with approximately forty private sector, academic and civil society actors later in 2016 indicated that a majority (although not all) believed that as a result of specific ʻhabeas dataʼ provisions found in article 43 of the Argentine Constitution, the right to erasure was currently limited to judicial enforcement enforcement and should remain so.[footnoteRef:51] Further drafts produced in 2017[footnoteRef:52] and 2018[footnoteRef:53] sought explicitly to limit the role of data protection here. Nevertheless, although the last document was forwarded by the Government to the Parliament, no statutory reform has ultimately been forthcoming. [46: As previously stated (see note 30) national regulation in Canada is complemented even in the private sector by local regulatory schemes in three out of ten provinces. However, even in these cases, all interprovincial as well as international commercial data processing continues to be governed exclusively through federal legislation which is overseen by the federal Office of the Privacy Commissioner. For details see Michael Deturbide and Teresa Scassa, Digital Commerce in Canada (Lexis Nexis, 2020), 114-119 and 125. Given the dominance of the Canadian Office of the Privacy Commissioner within the area explored in this article, it was decided to only focus on national regulation here.] [47: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, ¿Cómo ejercer el derecho a la protección de datos personales? (n.d), http://inicio.inai.org.mx/SitePages/Como-ejercer-tu-derecho-a-proteccion-de-datos.aspx?a=m2.] [48: A subunit within this agency is styled the Dirección Nacional de Protección de Datos Personales. See Agencia de Acceso a la Información Pública, Dirección Nacional de Protección de Datos Personales, https://www.argentina.gob.ar/aaip/autoridades/dnpdp.] [49: Agencia de Acceso a la Información Pública, Data Personales: Tus Derechos - Derecho de rectificación, actualización o supresión (n.d.), https://www.argentina.gob.ar/aaip/datospersonales/derechos#rectificacionactualizacionosupresion.] [50: In sum, although the draft did include a narrowly drafted personal exemption and disapplied the right to erasure in so far as this was “necesario” (“necessary”) for exercise freedom of expression (and information), its special expression carve-out was limited only to where the secrecy of journalistic information would be affected rather than, as in the current law, also to all media databases. See Anteproyecto de Ley de Protección de Datos Personales primera versión, arts.3 and 31(4) https://www.argentina.gob.ar/sites/default/files/anteproyecto_de_ley_de_proteccion_de_los_datos_personales.pdf] [51: One ‘sector’, presumably a reference to one part or perhaps all of the private sector participants, also opposed any interpretation suggesting that search engines were themselves responsible under current data protection law. See Dirección Nacional de Protección de Datos Personales, Ley de Protección de los Datos Personales en Argentina: Sugerencias y aportes recibidos en el proceso de reflexión sobre la necesidad de su reforma Agosto-Dicembre 2016, https://www.argentina.gob.ar/sites/default/files/documento_aportes_reforma_ley25326_0.pdf, pp. 8, 24 and 33. Related documents indicated that similar groupings made submissions to a more formal consultation run in 2017 but do not provide further detail.] [52: This draft proposed to confirm the special expression care-out to all processing carried out by the media in the exercise of freedom of expression and also provided that any sanctions issued by the DPA could not affect freedom of expression (and information). See Nueva versión del anteproyecto de Ley de Protección de Datos Personales 2017, https://www.argentina.gob.ar/sites/default/files/anteproyecto_reforma_ley_proteccion_de_los_datos_personales_nueva_version.pdf, arts. 3 and 76.] [53: This draft even sought to establish that judicial action under the statute should not affect freedom of expression (and information). See Mensaje 147/2018 Proyecto de Ley de Protección de Datos Personales, https://www.argentina.gob.ar/sites/default/files/mensaje_ndeg_147-2018_datos_personales.pdf, art. 88. This proposal was particularly surprising since even participants sceptical of a role for data protection here had focused during the deliberations on the dangers of regulatory rather than judicial overreach.] Four out of the eight DPAs (Australia, Canada, Russia and Turkey) went considerably further than these other regulators by publishing guidance that specifically engaged with and supported a right to be forgotten concept. The Canadian guidance was particularly extensive and so will be analysed last. Guidance from the Australian DPA (the Office of the Australian Information Commissioner (OAIC)) published in January 2020[footnoteRef:54] principally focused on personal data published on social media. It elucidated an understanding that, although the scope of other laws such as defamation and copyright could be broader, rights under the Privacy Act (the term in Australia for data protection legislation) generally had to be invoked against an organisation rather than an individual, that organisation had to “operate” within the country and in most cases also had to have an annual turnover of more than AU$3m (c. €1.86m).[footnoteRef:55] Nevertheless, signalling the potential reach of data protection remedies, “Facebook, Instagram, Twitter, Snapchat and LinkedIn” were specifically named as organisations which were subject to the Privacy Act. The guidance also stated that if an individual felt that their personal data was being mishandled by being posted on a social network, then they should contact the relevant social network and if unhappy with their response could lodge a complaint with this DPA.[footnoteRef:56] Another page specifically focused on photos and videos. Alongside a repeat of the same advice as regards social networks, this provided details of how to complain about images published on the street mapping service Google Street View. Whilst noting that the Privacy Act did not apply to journalism undertaken by a media organisation subject to published privacy standards, this page also detailed possible alternative avenues of redress available here through the Australian Press Council and the Australian Communications and Media Authority.[footnoteRef:57] [54: See Office of the Australian Information Commissioner, Protect your privacy online (10 January 2020), https://twitter.com/OAICgov/status/1216481565158412289.] [55: Office of the Australian Information Commissioner, Social Media and Online Privacy (n.d./2020), https://www.oaic.gov.au/privacy/your-privacy-rights/social-media-and-online-privacy/. The notion of operating in Australia was broadly construed to cover inter alia “hav[ing] a presence in Australia or carry[ing] on a business in Australia”.] [56: Ibid. Various other options were set out including, as an initial step, asking any individual who had posted the information to themselves take it down and, additionally, consulting a lawyer in the case of defamatory material and the police in case of serious harassment. As regards children subject to cyberbullying, the guidance also signposted the complaints procedure available through the Australia Office of the eSafety Commissioner.] [57: Office of the Australian Information Commissioner, Photos and videos (n.d.), https://www.oaic.gov.au/privacy/your-privacy-rights/social-media-and-online-privacy/photos/.] The Russian DPA (Roskomnadzor) did not produce specific guidance in the form of a structured elucidation of the legal framework but nevertheless signalled its understandings through press reports published on its site dating back over five years. In a wide-ranging interview in late 2014, the then head of Roskomnadzor Alexander Zharov argued that the right to oblivion or to be forgotten had de jure applied in Russia since 2006 (the year that data protection was introduced) as regards all online resources including search engines but that, aside from some action on fake profiles, it had been practically stymied. This outcome was ascribed to the failure of the law to provide for significant penalties and, in explicit contrast to the situation in the EU post-Google Spain, a lack of judicial precedents, which in turn was linked to an alleged tendency of Russian citizens to look to state authorities rather than the courts for redress. Somewhat more tangentially, Zharov argued that anonymization and pseudonymization online had led to a transcending of legal boundaries in areas such as defamation and argued that a Russian legal change requiring bloggers with more than 3,000 unique visitors each day to register with Roskomnadzor could play a positive role in addressing this.[footnoteRef:58] Another press release published at the same time argued that challenges arose not only from a lack of judicial precedents but also from large foreign internet companies not having offices within Russia which had the right to make legally significant decisions and stated that the Roskomnadzor, therefore, relied upon pre-trial decisions and self-regulation. In contrast to the Zharov interview, it also suggested that the current law extended (only) to the original source of information, as opposed to onward services such as search engines.[footnoteRef:59] Further releases encouraged discussion of the right to be forgotten in the context of experience elsewhere in the Council of Europe[footnoteRef:60] and stated that the Russian Ministry of Communications was preparing a law which would increase the financial penalty for refusing an exercise of this right thirty times and also enable the Roskomnadzor to act on violations independently of the Prosecutor’s Office.[footnoteRef:61] Roskomnadzor also indicated that it would deploy its legal authority to support any Russian citizen who lodged a similar claim against a search engine similar to that at issue in Google Spain but that the individual would need to go court to start the legal process.[footnoteRef:62] The following year a number of releases focused on a draft sui generis law on the right to be forgotten vis-à-vis search engines which had been proposed by the Russian Government and was enacted shortly afterwards.[footnoteRef:63] Roskomnadzor supported this proposal, arguing that a ʻсбалансированнымʼ (ʻbalancedʼ)[footnoteRef:64] outcome with the internet industry was being crafted by, for example, limiting requests to searches containing a person’s name and requiring the application to specfy each URL being objected to.[footnoteRef:65] More recent output from Roskomnadzor has focused principally on enforcement of various aspects of the right to be forgotten and so will not be explored here but rather in the next section. [58: Roskomnadzor, Коммерсант: «Совсем без интернета Россия не останется» (17 November 2014), http:/rkn.gov.ru/press/publications/news28368.htm. This controversial law, which has been strongly linked Russia’s so-called ‘networked authoritarianism’ discussed further in section four, was not very effective and was repealed in 2017. See Oleg Soldatov, ‘Half-Hearted Inception, Miserable Existence, and the Untimely Death of the Bloggers’ Register in Russia’ (2019) 52 Israel Law Review 61.] [59: Roskomnadzor, Российская газета: Чтобы не помнили (6 November 2014), https://rkn.gov.ru/press/publications/news28026.htm.] [60: Roskomnadzor, Rspectr: Необходимо соблюдать баланс между свободой выражения и правом на частную жизнь — Мария Михайлиду (5 November 2014), https://rkn.gov.ru/press/publications/news28034.htm and ТАСС: Роскомнадзор предлагает обсудить "право на забвение" применительно к пользователям Рунета, https:/rkn.gov.ru/press/publications/news28032.htm.] [61: Roskomandzor, Известия: Штраф за нарушение закона о персональных данных увеличат в 30 раз (7 November 2014), https://rkn.gov.ru/press/publications/news28088.htm] [62: Ibid.] [63: О внесении изменений в Федеральный закон ʻОб информации, информационных технологиях и о защите информацииʼ и статьи 29 и 402 Гражданского процессуального кодекса Российской Федерации" от 13.07.2015 N 264-ФЗ (On Amendments to the Federal Law ʻOn Information, Information Technologies and on the Protection of Informationʼ and Articles 29 and 402 of the Civil Procedure Code of the Russian Federation dated July 13, 2015 N 264-FZ).] [64: Roskomnadzor, Жаров уверен, что закон об удалении ссылок будет сбалансированным (19 June 2015), http:/rkn.gov.ru/press/publications/news33112.htm.] [65: Roskomnadzor, РГ.ру: Роскомнадзор поддержал введение в России "права на забвение (18 June 2015), https:/rkn.gov.ru/press/publications/news33114.htm and ТАСС: Разработчиков законопроекта "О праве на забвение" призвали к диалогу с интернет-отраслью (18 June 2015), http:/rkn.gov.ru/press/publications/news33113.htm; ] The Turkish DPA (Kişisel Verileri Koruma Kurumu) published a general decision from June 2020 which was in principle limited to the question of how a search engine should deal with a request for deindexing personal data from name-based searches but in fact examined many issues connected to the right to be forgotten generally.[footnoteRef:66] Whilst drawing principally on statutory data protection law including its core data protection principles, the decision also cited horizontal intermediary shield law, national constitutional provisions, national court decisions and transnational law especially from the EU but also from the Council of Europe and the United Nations. Its fundamental premise was that, although Turkish law did not discretely define the right to be forgotten, there were tools within data protection and related provisions to ensure that this right was respected. In the first place, the decision stated that original sources on the internet were themselves controllers of data and so individuals could exercise the right of deletion against them and the DPA would also evaluate and issue decisions on any issues raised with them on that basis. The position of social networks and other platforms hosting and managing personal data originating from individual users was not directly addressed in this regard. In contrast, the decision did specifically state that news websites were controllers, whilst also citing Turkish Constitutional Court case law that recognised that such sites including when archiving material would also fall under the protection of press freedom. Turning to search engines, the decision held that, at least insofar as these services indexed personal data through searches including an individual’s name, they would also be controllers. Complementing these structural rulings, the DPA published a list of eleven criteria against which it established that claims for deindexing should be evaluated both by search engines and by the regulator itself. [footnoteRef:67] This document, which drew heavily on similar guidance produced by the EU Article 29 Working Party (the precursor to the EDPB) in 2014, set out both factors militating in favour of deindexing (e.g. the data was inaccurate and/or sensitive) and ones in favour of continued processing (e.g. that the data subject played an important role in public life and/or related to original content processed within the scope of journalistic activity). [66: Kişisel Verileri Koruma Kurumu, Kişilerin Ad ve Soyadı ile Arama Motorları Üzerinden Yapılan Aramalarda Çıkan Sonuçların İndeksten Çıkarılmasına Yönelik Talepler ile ilgili olarak Kişisel Verileri Koruma Kurulunun 23/06/2020 Tarihli ve 2020/481 Sayılı Kararı (2020), https://www.kvkk.gov.tr/Icerik/6776/2020-481. The decision cited a rather narrow definition of the right to be forgotten which would limit it to a right of the individual to remove or restrict from access information which was initially lawfully spread on the basis of the passage of time. In fact, however, the decision looked at compliance with data protection rights generally, especially as regards the dissemination of personal data by search engines but also as in relation to controllers of source material.] [67: Kişisel Verileri Koruma Kurumu, The Criteria to Be Taken into Account When Assessing Requests to Delist the Results Displayed Following a Search Made Based on Person’s Name and Surname from a Search Engine’s Index (n.d./2020), https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/95d8ad1b-e849-48c6-ba93-02ecedeffde5.pdfhttps://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/68f1fb19-5803-4ef8-8696-f938fb49a9d5.pdf.] As previously stated, the most extensive right to be forgotten guidance was forthcoming from Canada’s DPA (the Office of the Privacy Commissioner). This seriousness with which it took the issue was indicated by an announcement in 2015 that it had formally established ʻ[r]eputation and privacyʼ as one of four strategic priorities, committing in the process to ʻhelp create an online environment where individuals may use the Internet to explore their interests and develop as persons without fear that their digital trace will lead to unfair treatmentʼ.[footnoteRef:68] Following on from this, it had published a discussion paper and launched a linked consultation in January 2016. Citing recent EU experience, this paper drew a firm distinction between the right to erasure which ʻplaces responsibility on the organization that collects and processes the information in the first place and reinforces that organization’s obligations under data protection lawʼ[footnoteRef:69] and what it termed ʻthe right to be forgottenʼ which, as it narrowly defined this, ʻonly affects search enginesʼ.[footnoteRef:70] As regards Canadian law, the paper argued although ʻno right to be forgotten or erasure laws exist per seʼ, it was nevertheless the case that [68: Office of the Privacy Commissioner of Canada, The Strategic Privacy Priorities (n.d.), https:/www.priv.gc.ca/en/about-the-opc/opc-strategic-privacy-priorities/the-strategic-privacy-priorities/.] [69: Office of the Privacy Commissioner of Canada, Online Reputation: What Are They Saying About Me?, https://www.priv.gc.ca/media/1810/or_201601_e.pdf, pp. 5-6.] [70: Ibid, p. 5.] Individuals have been turning to the OPC [Office of the Privacy Commissioner] for assistance when they come across websites that have posted their personal information without consent. The OPC oversees compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets out the rules that private-sector organizations must follow when they handle personal information in the course of their commercial activities. Generally, organizations cannot collect, use or disclose personal information without consent unless an exception to the requirements for consent applies. The law also gives individuals the right to access and to ask for corrections to personal information an organization may have collected about them. Individuals who believe an organization covered by PIPEDA is not living up to its responsibilities under PIEPDA have the right to file a complaint with the OPC. The websites implicated by individuals who contact the OPC about reputational issues include dating sites, sites that re-post court and tribunal decisions, and, overwhelmingly, the so-called revenge and shaming sites.[footnoteRef:71] [71: Ibid, p. 6.] This publication then explored the jurisdictional and practical difficulties faced by the DPA in applying this framework to the internet, as well as the challenges arising from it not being “unusual to find personal information posted without consent on websites set up for strictly personal use with no commercial purpose”.[footnoteRef:72] A longer section explored existing and potential recourse in this area which might be available from intermediaries such as search engines and social networking sites, legislators, the courts, regulators, technology, individuals and through education. The DPA invited submissions on this topic, with a particular focus on helping the DPA ʻdevelop a position on remediesʼ [footnoteRef:73] including as this related to young people and other vulnerable groups. The consultation attracted 28 responses which explored many issues including as regards search engines.[footnoteRef:74] In January 2018, the DPA adopted a more formal but still draft position on online reputation. Alongside urging greater education and legislative attention in this area, this position backed a strong role for existing data protection law and regulation both in relation to original internet sources and also search engines. In sum, it stated that: [72: Ibid, p. 6.] [73: Ibid, p. 12.] [74: See Office of the Privacy Commissioner of Canada, Submissions Received for the Consultation on Online Reputation (n.d./2016), https:/www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/completed-consultations/consultation-on-online-reputation/submissions-received-for-the-consultation-on-online-reputation/. Submissions especially from Google Canada and the institutional media opposed applying the right to be forgotten to search engines, some others (e.g. Aver Levin of Ryerson University) strongly supported this and many more either addressed others aspects of this issue (see e.g. Facebook’s submission on the role of social networking sites) or adopted a narrower perspective (e.g. Yun Li-Reilly of Harvard University who supported some version of the right to be forgotten, which the consultation conceptualised as binding search engines, which could be invoked by children).] With respect to de-indexing, the OPC is of the view that PIPEDA applies to a search engine’s indexing of online content and display of search results. As such, search engines must meet their obligations under the Act. This includes allowing individuals to challenge the accuracy, completeness and currency (the extent to which the information is up-to-date) of results returned for searches on their name. Such challenges should be evaluated on a case-by-case basis, and decisions to remove links should take into account the right to freedom of expression and the public’s interest in the information remaining accessible … If an individual is able to successfully challenge the search results based on the above, it should be deindexed. However, lowering the ranking of a result or flagging a link or content as inaccurate or incomplete could be sufficient alternatives in some cases. With respect to source take down, PIPEDA provides individuals with the right to withdraw consent, and requires that personal information that is no longer needed be destroyed, erased or made anonymous. Taken together, this implies that individuals should have the ability to remove information that they have posted online. Where the personal information in question has been posted by others, individuals do not have an unqualified right to remove it. However, similar to de-indexing individuals should be provided with a mechanism by which they can challenge the accuracy, completeness and currency of information and, where such a challenge is successful, to have the information corrected, deleted or augmented, as appropriate.[footnoteRef:75] [75: Office of the Privacy Commissioner of Canada, Draft OPC Position on Online Reputation (2018), https:/www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/completed-consultations/consultation-on-online-reputation/pos_or_201801/.] Later in 2018 this DPA began actively exploring the possibility of enforcing this legal understanding vis-à-vis Google search engine. However, the continuing preliminary nature of the published guidance is explained by this DPA’s agreement in October 2018 to refer certain preliminary questions to the Canadian Federal Court.[footnoteRef:76] These legal proceedings, as well other enforcement efforts by G20 DPAs outside the EU, are examined in the next section. [76: Office of the Privacy Commissioner of Canada, Privacy Commissioner seeks Federal Court Determination on Key Issues for Canadians’ Online Reputation (10 October 2018), https:/www.priv.gc.ca/en/opc-news/news-and-announcements/2018/an_181010/] G20 DPA Enforcement of the Right to be Forgotten outside the EU For the purposes of this study, enforcement was understood broadly to encompass all specific interventions directed against particular data controllers that related to the policing of the interface between an individual’s data protection rights and the dissemination of personal information online. These interventions could be of varying intensity but needed to go beyond mere investigation. The website review in June 2020 indicated that the DPAs which had not produced any specific guidance on the right to be forgotten had also not undertaken any enforcement. However, late the following month, the Japanese DPA did published a enforcement notice ordering two websites to cease publishing databases of individual bankruptcy information originally sourced from the Japanese National Bulletin and threatening criminal proceedings if their failed to do.[footnoteRef:77] Meanwhile, with the exception of the Australian DPA which was found to be similarly inactive, the regulators who had published specific guidance were also found to have engaged in some enforcement. This section details these activities, starting with the least active regulator and ending with the one which has engaged in the most extensive range of enforcements. [77: The websites were found to have violated both the provisions on notice and (given the dissemination of personal data to third parties) consent which are set out in Japanese data protection law. As the operators of the two websites could not be located, the DPA had resorted to posting its initial recommendation online. See Japan, Personal Information Protection Commission, 個人情報の保護に関する法律に基づく行政上の対応について (28 July 2020), https://www.ppc.go.jp/files/pdf/200729_meirei.pdf. Press reports also suggested that when individuals applied to the operators for their deletion from the database, payment was demanded. See Asahi Shimbun Digital, 官報の破産者名を無断転載の2サイト閉鎖 初の停止命令 (20 December 2020), https://news.yahoo.co.jp/articles/3b1ee04772a05dc7a4a57daba1c5050f8511802b/. ] Despite the fact that the Turkish DPA’s guidance elucidated above focused on the appropriate response to ex post claims for control by data subjects, the only example of enforcement located arose from the imposition of an administrative penalty for the initial inappropriate dissemination of personal data. In sum, in December 2019 this DPA fined a newspaper 125,000 Turkish Lira (approximately €20k at the time) for detailing, in an article about his son and without an appropriate public interest, that a data subject (the complainant) had taken a break from his employment duties due to cancer treatment.[footnoteRef:78] [78: Kişisel Verileri Koruma Kurumu, Bir gazete tarafından ilgili kişinin özel nitelikli kişisel verileri hakkında haber yapılmasına ilişkin Kişisel Verileri Koruma Kurulu’nun 09/12/2019 tarih ve 2019/372 sayılı Karar Özeti (2019), https:/kvkk.gov.tr/Icerik/6663/2019-372. Although this is not explicitly stated, it is assumed that this article had some online presence as well as potentially also being published in hard copy. A different decision by this regulator rejected the claim of another data subject to have their name deleted from a newspaper column on the basis that the processing fell within the scope of freedom of expression, specifically noting in the process that this individual held a position of public concern. See Kişisel Verileri Koruma Kurumu, Bir Gerçek Kişinin Adının Geçtiği Köşe Yazısının Silinmesi Talebi (n.d.), https://kvkk.gov.tr/Icerik/5407/-Bir-Gercek-Kisinin-Adinin-Gectigi-Kose-Yazisinin-Silinmesi-Talebi.] Turning to the Russian DPA, there was no indication that this regulator had sought to enforce the data protection provisions which were enacted specifically in relation to search engines in 2015. In contrast, this DPA indicated that since at least 2014[footnoteRef:79] it had intervened many times through both interim measures and court action to block access to a range of websites which it argued had published personal information in violation of data protection. These websites were almost invariably held to have disseminated mass databases about members of the general public variously including their work,[footnoteRef:80] car registration,[footnoteRef:81] telephone,[footnoteRef:82] social media,[footnoteRef:83] home addresses[footnoteRef:84] and bank[footnoteRef:85] details. In many cases, the threat of action was held to have secured the removal of the problematic material prior to measures such as blocking having to be instituted.[footnoteRef:86] [79: Roskomnadzor, Роскомнадзор заблокирует более 60 сайтов в связи с нарушением законодательства о персональных данных (2 December 2015), https://pd.rkn.gov.ru/press-service/subject1/news4554/ (reporting that in 2014 Roskomnadzor and its territorial bodies had filed 28 lawsuits against 96 sites).] [80: Roskomnadzor, База данных с адресами более 1,5 млн россиян внесена в реестр нарушителей прав субъектов персональных данных (9 September 2015), https://pd.rkn.gov.ru/press-service/subject1/news4520/.] [81: Roskomnadzor, За 2 года по решению суда заблокировано более 300 сайтов с персональными данными россиян (6 May 2017), https://pd.rkn.gov.ru/press-service/subject1/news4666/.] [82: Ibid.] [83: Ibid and Russia, Roskomnadzor, Роскомнадзор обратился в суд для блокировки сайтов, дублирующих информацию пользователей российских социальных сетей (22 August 2019), https://pd.rkn.gov.ru/press-service/subject1/news4472/.] [84: Roskomnadzor, В Кургане выявлен зарубежный сайт с персональными данными миллиона жителей России и Казахстана (17 December 2019), https://pd.rkn.gov.ru/press-service/news4960.htm (reporting on the blocking of a foreign site allegedly containing the home addresses and also names and telephone numbers of a million Russians in an alphabetical database).] [85: Roskomnadzor, Заблокирован доступ к сайту с базами персональных данных 900 тысяч клиентов российских банков (14 June 2019), https://pd.rkn.gov.ru/press-service/subject1/news4468/ (reporting on the blocking of a website allegedly containing a database of some 900,000 customers of Russian banks).] [86: Roskomnadzor, С начала года на основании судебных решений заблокировано более 500 интернет-ресурсов, нарушающих законодательство о персональных данных (31 August 2018), https://pd.rkn.gov.ru/press-service/subject1/news4842/ (reporting that since the start of 2018 the Roskomnadzor had not only secured the blocking of 506 internet resources through their entry into a register of violations of the rights of personal data subjects but that the owners of another 640 sites had deleted the flagged information before being (potentially) subject to such a block).] The Canadian DPA was found to have engaged in the most wide-ranging, even if not necessarily the most intensive, enforcement of the right to be forgotten. Most of this enforcement involved action against internet resources at source who were disseminating personal data not directly sourced from the data subject. One of these, Globe24h, came to court for a final determination. However, as Table Two indicates, the Globe24h action has been but one of a range of actions which have also implicated other electronic databases and networking sites. Turning specifically to the Globe24h case, the Canadian DPA received multiple complaints about this Romanian website which was scrapping Canadian court and tribunal decisions from official public repositories and republishing these with advertising. In contrast to the official repositories, Globe24h allowed full crawling by internet search engines although it did offer to remove material on request which it offered to expedite in return for payment. In June 2015 the DPA held that the website fell within Canadian data protection as a commercial activity with a real and substantial connection to Canada and was not otherwise exempt by, for example, pursuing exclusively journalistic purposes.[footnoteRef:87] It also found that it was not being conducted for a purpose which a reasonable person would consider appropriate in the circumstances and so held that Globe24h should remove the material and take action to ensure it was also erased from search engine caches. Although the procurement of payment was seen as exacerbating, the only necessary element of the DPA’s reasoning was that the website had “effectively undermined the balance between privacy and the open courts principle”[footnoteRef:88] established in Canada. Since Globe24h rejected the findings, the DPA committed to taking further action both in cooperation with the Romanian DPA[footnoteRef:89] and through the Canadian system. Later that year one of the complainants lodged a legal action and, alongside providing them with assistance, the DPA applied and was granted the status of an additional respondent. Grounded in cognate reasoning to the DPA, the final court judgment in January 2017 issued C$5,000 (c. €3,550) monetary compensation to the specific complaint, a declaration of systematic illegality and an injunction which upheld the original findings and also required Globe24h to refrain from copying and republishing Canadian decisions in a manner that contravened Canadian data protection law in the future.[footnoteRef:90] Shortly afterwards the website ceased to operate and on 23 March 2018 the DPA discontinued further investigation.[footnoteRef:91] [87: The other legal exemption examined and rejected concerning using publicly available information for a purpose directly related to the reason why the information appeared in this form.] [88: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2015-002, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2015/pipeda-2015-002/ at [87].] [89: The Romanian DPA had already issued a fine against Globe24h for violation of Romanian data protection law, although this penalty was being challenged in court (Ibid at [99]).] [90: See A. T. v Globe24.com and Sebastian Radulescu 2017 FC 114. Technically, the rulings applied to Radulescu as the sole controller of the website.] [91: Office of the Privacy Commissioner of Canada, OPC discontinues additional complaints against Globe24h.com following investigation into the same privacy issues - discontinued case summary #2015-002 (23 March 2018), https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/disc/2015/pipeda-2015-002/. ] Table Two: Canadian DPA Enforcement against Internet Resources at Source beyond Globe24h Internet Source & DPA Case Reference Brief Details and Principal Outcome Further Details and Secondary Holdings Facebook #2013-010[footnoteRef:92] [92: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2013-010, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2013/pipeda-2013-010.] - Concern mere removal of malicious impersonation of teenager on site (a non-user) was insufficient. - Facebook agreed in future to facilitate process whereby non-users themselves could notify those “friended” by imposter. - DPA rejected complaint’s argument that Facebook should itself notify befriended on basis that (i) could lead to further publicity and (ii) inappropriate to expect Facebook to arbitrate in such interpersonal disputes. Public Executions #2017-007[footnoteRef:93] [93: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2017-007, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2017/pipeda-2017-007/] - Website enabled anyone trying to collect court-ordered debt ability for a fee to post debtor details including amount, address, photograph and allegations. Visitors encouraged to post tips which poster could incentivize. Fully searchable including on internet engines. - DPA sought a court order to stop publication which led to website being taken down. - Principal purpose found to be coercing payment and held inappropriate. - Website rejected findings and court action commenced but discontinued when led to website take down. Profile Technology #2018-002[footnoteRef:94] [94: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2018-002, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2018/pipeda-2018-002/] - New Zealand company republished static copy of Facebook’s public material on own site which users could join and edit. Included profiles and forums related to +4m Canadians alongside advertising. - DPA held that all profiles and group forums associated with Canadians and not claimed for ongoing use by individual be deleted. - Prior to issuance of findings, material removed but uploaded in partially encrypted torrent files to Internet Archive. DPA committed to monitoring implications. - Rejected argument that exempt as “publication” constituted by data subject. - Held consent would be appropriate and had not been forthcoming. - Held that processing purpose of populating new site illegitimate. - Commitment between Canadian and New Zealand DPAs to further collaborate. - Failure to set reasonable retention period for helpdesk tickets also censured. 411Numbers #2019-005[footnoteRef:95] [95: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2019-005, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-005/] - Publication of database of name, telephone and address data including that unlisted ab initio and/or subsequently (despite claim had undertaken some screening against this). - Finding to remove all unlisted details worldwide and implement due diligence measures to ensure future information did not contain these. Accepted by company. DPA committed to ongoing monitoring. - Aggravating practice of charging fee for (quick) removal abandoned before ruling. - Held obtaining unlisted numbers required consent and had not been forthcoming. - Hong Kong company but reach beyond Canadian records grounded in owner and sole employee residing in Canada. - Amendments to complaints handling and (inaccuracies in) privacy policy also specified by DPA. On the back of a specific complaint lodged in June 2017 and following release of its interim position on online reputation in January 2018, the Canadian DPA has also attempted to take action against Google to ensure that it acts on Canadian claims for name-based deindexing under data protection. Google challenged this and in October 2018 the Canadian DPA agreed to stay action pending a court determination as to its jurisdiction.[footnoteRef:96] Lengthy interlocutory proceedings have followed, which have focused on an unsuccessful attempt by Google to add a question challenging Canadian data protection on constitutional freedom of expression grounds and an application by various media organisations to be parties to the case which was also rejected on the basis inter alia of indications that they might simply replicate Google’s efforts. In July 2020, the Canadian Broadcasting Corporation and also the Canadian Internet Policy and Public Interest Clinic were granted limited rights to intervene. Developments to date are summarised in Table Three below and, as can be seen there, a hearing on the merits took place in January 2021. [96: Office of the Privacy Commissioner of Canada, Privacy Commissioner seeks Federal Court determination on key issue for Canadians’ online reputation (10 October 2018), https://www.priv.gc.ca/en/opc-news/news-and-announcements/2018/an_181010/.] Table Three: Canadian DPA Action on Search Engines and the Right to be Forgotten Date Summary Further Details 2017, June 16 Specific complaint lodged Complainant argued for deindexing of online news articles against their name on basis that were outdated, inaccurate, disclosed sensitive personal data about sexual orientation and medical condition and caused serious harm.[footnoteRef:97] [97: Reference re Subsection 18.3(1) of the Federal Courts Act 2019 FEC 957 at [9].] 2018, January 26 DPA Interim Position on Reputation Held that individuals can challenge name-based indexing by search engines on basis of accuracy, completeness and currency. 2018, October 10 DPA Reference to Federal Court DPA refers whether Google search exempt from data protection on basis that not a relevantly commercial activity and/or exclusively journalistic or literary. Investigations stayed. Rejects similar demand based on constitutional freedom of expression as premature and fact-specific.[footnoteRef:98] Google challenges this judicially.[footnoteRef:99] [98: Canada, Office of the Privacy Commissioner, Privacy Commissioner seeks Federal Court determination on key issue for Canadians’ online reputation (10 October 2018), https://www.priv.gc.ca/en/opc-news/news-and-announcements/2018/an_181010/] [99: Reference re Subsection 18.3(1) of the Federal Courts Act 2019 FEC 957 at [12].] 2018, November 2 First Court Order on Parties & Google’s continued challenge Court allowed Canadian Attorney General, the complainant and Google to become parties, and for latter two to challenge scope of reference questions. Google immediately resumes constitutional rights challenge.[footnoteRef:100] [100: Ibid at [14]-[15].] 2018, December 21 & 27 Media groups apply to be Parties Applications made by Canadian Broadcasting Corporation (CBC) and a broader Media Coalition.[footnoteRef:101] [101: Federal Court, Proceedings Queries Recorded Entry(ies) for T-1779-18, https://apps.fca-caf.gc.ca/pq/IndexingQueries/infp_RE_info_e.php?select_court=All&court_no=T-1779-18, Documents 23 and 28.] 2019, March 1 Court rules against Media as Parties (or in alternative Interveners). CBC and Media Coalition were not “necessary” parties and had not shown that their contributions would go beyond Google’s. Intervener status premature prior to confirmation of questions. Both initially appeal, but Coalition discontinues 31 May 2019.[footnoteRef:102] [102: Reference re Subsection 18.3(1) of the Federal Courts Act 2019 FEC 957 at [16]-[17].] 2019, April 16 Court rejects Google’s constitutional motion DPA granted broad discretion on questions and no evidence that it had made relevant findings of fact for constitutional motion. Alternative claim to strike reference rejected.[footnoteRef:103] Google appeals. [103: Reference re Subsection 18.3(1) of the Federal Courts Act 2019 FC 464.] 2019, July 22 Rejection of Google’s appeal DPA had discretion to bring reference and jurisdictional questions could be answered on own. Constitutional challenge only in these proceedings admission required case-by-case analysis. But at merits stage Google could still argue that questions were improper.[footnoteRef:104] [104: Reference re Subsection 18.3(1) of the Federal Courts Act 2019 FC 957 at [57]-[79].] 2019, July 22 Rejection of CBC’s appeal CBC’s claim that was a “necessary” Party rejected on basis that it would entail every person who uses Google or posts on the Internet likewise being the same. Also confirmed Intervener status premature.[footnoteRef:105] [105: Ibid at [81].] 2020, July 24 CBC & CIPPIC granted limited Intervener status CBC and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) granted right to make written submission of fact and law of maximum 15 pages. Other potential interveners rejected.[footnoteRef:106] [106: Federal Court, Proceedings Queries Recorded Entry(ies) for T-1779-18 (supra note 102), Documents 224 and 225.] 2020, November 9 Prothonotary Oral Directions Noted that virtual hearing was scheduled to commence on 27 January 2021 and directed Registry to ensure complainant’s identity remains confidential throughout each step of the hearing.[footnoteRef:107] [107: Federal Court, Proceedings Queries Recorded Entry(ies) for T-1779-18 (supra note 102), First Montré] Analysis and Potential Future Developments It is important to explore the findings presented in the previous two sections alongside previous analysis of formal statutory law vis-à-vis the right to be forgotten in the eleven non-EU G20 jurisdictions that have now adopted data protection. As summarised in section one, this research found that, subject to certain exceptions related especially to the journalistic media, all of these frameworks could be read to support such a right, not only when data processing raised inaccuracy concerns but also on wider legitimacy grounds. In contrast, the research presented in this paper found considerably less comprehensive regulatory activity. In some cases, the different patterns revealed may be explained through a deeper analysis of the statutory law. Thus, as also elucidated in the first section, during the time of the research neither Brazil nor South Africa had brought their law into force and additionally the Indonesian framework was found not to include a regulatory authority. More specifically, the lack of enforcement by the Russian DPA of the right to be forgotten specific to search engines can be directly related to the fact that, in contrast to the data protection law generally, the particular provisions on search engines within Russia have been placed within an information technology law[footnoteRef:108] which only grants the ordinary courts, rather than Roskomnadzor, supervisory jurisdiction. Nevertheless, in many other cases, the patterns are much more challenging to explain. For example, Canadian federal data protection only grants data subject’s an explicit right to challenge processing on the grounds of inaccuracy[footnoteRef:109] rather than broader legitimacy and also includes far-reaching exclusions for processing conducted outside the course of commercial activities[footnoteRef:110] and/or for journalistic, artistic or literary purposes.[footnoteRef:111] Nevertheless, as noted above, the Canadian Privacy Commissioner has drawn on broader substantive duties related to processing for an appropriate purpose and obtaining consent where appropriate in order to carry out the most extensive activity in this area outside of the EU. In contrast, although the Mexican framework includes none of the aforementioned limitations,[footnoteRef:112] the DPA here does not appear to have conducted any similar action. Whilst the legislative frameworks in Argentina, Japan and Korea are more nuanced,[footnoteRef:113] the lack of activity by DPAs within these jurisdictions is also not easily explicable on statutory grounds. It is possible that some of these differences can be linked back to other legal differences including constitutional provisions and/or binding jurisprudence. However, many such arguments are unlikely to be clear-cut and, in any case, lie beyond the specific focus of this article.[footnoteRef:114] In addition, DPAs generally have a notoriously wide mandate and often extremely limited resources. Indeed, even within the EU which has positioned itself as a champion of this framework, it has been found that ʻ[t]the lack of financial and human resources has a negative impact on the quality and quantity of the DPAs’ work, and limits their ability to control and sanction data protection violationsʼ.[footnoteRef:115] As the Canadian case highlights especially clearly, engagement in this area can be extremely resource intensive not only financially but also in terms of people and time. It may, therefore, be that DPAs operating within similar political and legal systems are wary of getting involved in this territory out of concern for its potential to place unmanageable burdens on them. [108: See Федеральный закон от 27.07.2006 N 149-ФЗ (ред. от 03.04.2020) "Об информации, информационных технологиях и о защите информации, https://legalacts.ru/doc/FZ-ob-informacii-informacionnyh-tehnologijah-i-o-zawite-informacii/.] [109: Canada, Personal Information Protection and Electronic Documents Act, para. 4.9.5 of Sch. 1.] [110: Ibid, s. 4(1)(a).] [111: Ibid, s. 4(2)(c).] [112: As a partial caveat to this, it should be noted that Mexican law does reserve some but not all data protection duties to situations where personal data is systematically organized. See Mexico, Federal Law on the Protection of Personal Data held by Private Parties, art 3(II).] [113: Similarly to Canada, these three jurisdictions set out an absolute exemption for certain forms of journalistic and similar activity. They also require that personal data be organized in some way in order to fall within the scope of the framework. Nevertheless, in an online context, the extent to which the latter stipulation constitutes a far-reaching limitation should not be exaggerated. Thus, in marked contrast to information published in traditional format which is hard to retrieve, personal data published on the Internet can be readily found as a result of the deployment of systematically programmed search tools and other organising aids. Moreover, these tools are becoming ever more advanced as a result of socio-technological development.] [114: For further analysis of the Argentinian and Japanese cases see contributions by Marcelo Alfonsín and Itsuko Yamaguchi in Franz Werro (ed), The Right to be Forgotten: A Comparative Study of the Emergent Right’s Evolution and Application in Europe, the Americas, and Asia (Springer, 2020).] [115: European Union, Agency for Fundamental rights, Access to Data Protection Remedies in EU Member States (2013), http://fra.europa.eu/sites/default/files/fra-2014-access-data-protection-remedies_en.pdf, 46.] Although not as extensive as the previous formal statutory analysis might suggest, it is nevertheless striking that considerable regulatory interest in the right to be forgotten has emerged post-2014 not only within the EU but also within the wider G20. Indeed, a bare majority of national DPAs operating in non-EU G20 jurisdictions with established data protection regulation are now engaged in this area and, similarly to the EU, such action has principally focused on active intermediaries such as search engines. These jurisdictions exhibit significant variation. Geographically, they encompass not only the extra-EU European area (Russia, Turkey) but also the Americas (Canada) and the Asia-Pacific (Australia), although echoing Voss and Castets-Renard’s previous work[footnoteRef:116] it is perhaps striking that Asia itself is conspicuous by its absence.[footnoteRef:117] Their general approach to internet governance is also diverse. Russia has been found to pursue a policy of ʻnetworked authoritarianismʼ which attempts to ʻcarefully control the expression of dissent in a way that gives the impression of limited freedom of expression without allowing dissent to gain tractionʼ.[footnoteRef:118] This involves combining ʻlegal and technical meansʼ including both direct ʻbarriers to accessʼ and enabling such access to be denied ʻon a case-by-case basisʼ with an increasing focus on a ʻproactive public relations (or propaganda) strategyʼ.[footnoteRef:119] The latter has become notorious for its covert ʻinformation warfareʼ which involves deploying ‘“bot” and “trolls”’[footnoteRef:120] designed to ʻtur[n] open societies against themselves, creating chaos and breeding suspicionʼ.[footnoteRef:121] Although there is no suggestion that the Russian DPA has become involved in these last activities, its wide-ranging functions mean that it is the principal actor through which Russia implements its general internet policy in the legal and technical arena. Indeed, it would appear not unrelated to this that in 2016 this DPA had its application for accreditation to then International Conference of Data Protection and Privacy Commissioners (now the Global Privacy Assembly) rejected, although it was granted a more limited observer status.[footnoteRef:122] Turkish internet policy displays certain similarities to Russia, although it combines this with a ʻstrong diplomatic and security relationship with the Euro-Atlantic alliance that champions an open, decentralized, and distributed global communications network secured through the participation of various stakeholdersʼ.[footnoteRef:123] In contrast to Turkey and most especially Russia, Australian and Canadian online policy approaches are located firmly with this ‘Euro-Atlantic’ paradigm. Indeed, at least Canada may be placed between the largely laissez-faire approach of the United States, with its strong emphasis on the free flow of information, and the EU with its equal ʻdetermination to protect the individualʼ[footnoteRef:124] including through positive State-backed human rights safeguards. Thus, Detrubide and Scassa note that [116: Voss and Castets-Renard (2015) (supra note 8), 342.] [117: Note, however, the recent example of DPA enforcement action in Japan (supra note 76). ] [118: Nathalie Maréchal, ‘Networked Authoritarianism and the Geopolitics of Information: Understanding Russian Internet Policy’ (2017) 5 Media and Communication 29, 36.] [119: Ibid, 36.] [120: UK Parliament, Intelligence and Security Committee, Russia (2020), https://docs.google.com/a/independent.gov.uk/viewer?a=v&pid=sites&srcid=aW5kZXBlbmRlbnQuZ292LnVrfGlzY3xneDo1Y2RhMGEyN2Y3NjM0OWFl, 12.] [121: Maréchal (2017) (supra note 119), 37-8.] [122: International Conference of Data Protection and Privacy Commissioners, 38th International Conference Accreditation Resolution and Explanatory Note (2016) http://globalprivacyassembly.org/wp-content/uploads/2015/02/Accreditation-resolution-2016-revised-20.10.2016-1.pdf.] [123: Tuba Eldem, ‘The Governance of Turkey’s Cyberspace: Between Cyber Security and Information Security’ (2020) 43 International Journal of Public Administration 452, 462.] [124: Andrej Savin, EU Internet Law (2nd Edition) (Elgar, 2017), 3.] Canadian courts look to the American experience with legal issues raised by new technologies. It is not unusual for cutting-edge issues to be raised first in the United States, and there is often a body of U.S. case law that has developed over time on any particular issue before the matter arises in Canada … The laws of the European Union (EU) are also of significance not only because the EU is an important trading partner for Canada, but because of the historical roots of Canada’s legal system in both the civil and common law. In some cases, Europe offers a significantly different model than the United States for dealing with digital commerce. Privacy and data protection, for example, is a key area of difference.[footnoteRef:125] [125: Michael Deturbide and Teresa Scassa, Digital Commerce in Canada (LexisNexis, 2020), xi-xii. Deturbide and Scassa also noted that “[t]he law of jurisdictions such as the United Kingdom, Australia and New Zealand can also be important and influential in Canada, largely because of our shared legal heritage” (xi).] In light of the internet’s globalised nature, it is clear that effective implementation of the right to be forgotten requires transnational coordination. In principle, such coordination can enable greater legal certainty for cross-border data controllers, establish more effective remedies for data subjects and reduce the resource burden placed on DPAs by creating a more interoperable regulatory environment. The growing interest in the right to be forgotten globally indicates that some such coordination may be now be possible even outside of an EU context. Previous work[footnoteRef:126] suggested that the G20 might itself perform such a task and it is certainly the case that since the launch in 2017 of its Taskforce on the Digital Economy[footnoteRef:127] the G20 has actively engaged in data protection. For example, in June 2019 it issued a set of principles on artificial intelligence[footnoteRef:128] and in June 2020 it followed this up with a set of examples of national policies which could help advance these same principles.[footnoteRef:129] Nevertheless, the G20 would not appear well placed to lead in this area. It remains entirely informal and, absent any central secretariat or continuing institutional machinery, lacks the tools necessary to ensure a harmonized approach within areas of high technicality and sensitivity. Any G20 initiative here would necessarily remain entirely ‘soft’ and advisory. Indeed, given the G20’s makeup, there would be serious danger otherwise that its outcomes would become implicated in the authoritarian approaches to internet governance noted above.[footnoteRef:130] [126: Erdos and Garstka (2020) (supra note 24), 17.] [127: Germany, Federal Ministry for Economic Affairs and Energy, G20 – Shaping Digitisation at the Global Level (n.d./2017) https://www.bmwi.de/Redaktion/EN/Artikel/Digital-World/g20-shaping-digitalisation-at-global-level.html] [128: G20 Ministerial Statement on Trade and Digital Economy, Annex – G20 A Principles (n.d./2019) https://www.mofa.go.jp/files/000486596.pdf] [129: G20 Digital Economy Ministers Meeting Ministerial Declaration, Annex 1: Examples of National Policies to Advance the G20 AI Principles (2020) https://g20.org/en/media/Documents/G20SS_Declaration_G20%20Digital%20Economy%20Ministers%20Meeting_EN.pdf.] [130: Both Maréchal (2017) (supra note 11) and Eldem (2020) (supra note 124) argue that Russia and China are the dominant actors supporting a problematic approach of ‘networked authoritarian’ within internet governance. Additionally, Saudi Arabia has its own strongly authoritarian stance here. See generally Alisa Shishkina and Leonid Issaev, ‘Internet Censorship in Arab Countries: Religious and Moral Aspects’ (2018) 9 Religions 358. All three countries are full members of the G20.] To date, it is not the G20 but the Organisation for Economic Cooperation and Development (OECD) and the Council of Europe that have played a central role in efforts to coordinate data protection frameworks on a wide global scale. The OECD was the first organisation to produce a set of cross-regional guidelines on privacy in 1980.[footnoteRef:131] Its current membership spans only Europe and North America but also South America, Asia and the Pacific.[footnoteRef:132] As Table One indicates it also includes 12 G20 members. Nevertheless, not dissimilarly to the G20, its work on privacy and data protection has remained entirely ‘soft’ in nature and, in recent years, has not been extensive.[footnoteRef:133] In contrast, the Council of Europe has been a crucial catalyst behind data protection legislation since the 1970s and since 1981 has sponsored the only Data Protection Convention that is open to ratification by States worldwide.[footnoteRef:134] Although this Convention was drafted in ʻclose collaborationʼ[footnoteRef:135] with the OCED, it diverges from the OECD Guidelines not only in its human rights focus but also in its legally binding nature and additionally the inclusion of formal machinery in the form of a Convention Consultative Committee. This Committee has the function inter alia of “at the request of a Party, express[ing] an opinion on any question concerning the application