The Right to Be Forgotten in Indonesia: Progression or Regression?

 

 

 

 

The Internet has a unique characteristic, in that once information has been posted online – it will theoretically stay there forever. In July 2010, Rosen penned an article for The New York Times titled ‘The Web Means the End of Forgetting’. In the article, Rosen relates the story of Stacy Snyder, a high-school teacher who posted a picture of herself drunk above the caption “Drunken Pirate.” Her Alma Mater subsequentlydenied her the teaching degree that she had earned after the picture surfaced on the basis that, “She does not represent the university.”[3] Rosen went on to explain how the characteristics of the internet can thus be perceived as a threat within the context of data privacy.[4] This characteristic of the internet – the fact that it cannot forget – represents a challenge as regards the implementation of the Right to be Forgotten (“RtbF”) provision.

 

 

Mr Gonzalez is a Spanish citizen and ultimately fought his RtbF case for a full five years. The case revolved around the fact that Mr Gonzalez was unhappy due to the fact that every time he “Googled” his name, he stumbled upon news articles from La Vanguardia which related to the announcement of a real-estate auction which followed the recovery of social security debts that he owed back in 1990. In its judgment, the Court Justice of the European Union (“Court”) decided that Google was ultimately the controller of the data in question and was thus obliged to remove the content which was deemed “inadequate, irrelevant or excessive about the purposes of the processing,”[5] as requested by Mr Gonzalez as a data subject. This judgment marked the adoption of the RtbF by the European Union (“EU”).

 

Two years after the judgment, the European Parliament adopted the General Data Protection Regulation (“GDPR”), which offered greater clarity on the provision of RtbF. The GDPR itself will enter into force in 2018 and any companies (which are located either within the EU or outside it) which do not follow the provision(s) will be fined. The graphic below shows the timeline for the implementation of the RtbF, from 1995 to 2018.

 

 

Indonesia is the first country in Asia to adopt the RtbF through the enactment of the Amendment to the EIT Law.[6] In addition to the Amendment to the EIT Law, the RtbF provision is also mentioned under: 1) Draft Law on the Protection of Personal Data (“Draft Law”); and 2) Ministry of Communications and Informatics Regulation No. 20 of 2016 on the Protection of Personal Data Held in Electronic Systems (“Minister’s Regulation”).

 

 

The adoption of the RtbF in Indonesia encompasses various pros and cons. One of the pros is that the RtbF provides a higher level of protection to data subjects. Indonesia has a low level of protection as regards the privacy of data subjects. Under the previous draft of the EIT Law, the law only provided that the electronic system providers to obtain consent from data subjects. There were no further requirements which related to any levels of privacy as imposed by electronic system providers in order to protect the privacy of their users. Consent itself is a complicated theme, however, especially in the current era of big data. In a world where data is transferable between one processor and millions of others, we can never really be sure whether we have granted full consent as regards the processing of our personal data.

 

The adoption of the RtbF, together with the upcoming legislation on privacy, shows the commitment of the current government to protecting the privacy of its citizens. Thus, the adoption of the RtbF provision in Indonesia is indeed a sign of progress. However, it is not enough to merely issue a regulation. The Indonesian government should also consider how to enforce the various provisions which are set out in the issuing regulation.

 

The implementation of the RtbF within the EU itself is still proving controversial and several criticisms regarding the RtbF have been voiced. Firstly, based on the judgment of the Court, specifically paragraph 99, the judges have expressed the view that it is necessary to always strike a balance between the right to privacy and the freedom of expression. In her paper, Eleni Frantziou[7] wrote, “How much is too much protection of privacy?”

 

Frantziou believes that it is impossible to monitor whether a balance can be struck between these two rights.[8] The RtbF is seen as leaning too far towardsprivacy at the expense of freedom of expression. Hence the RtbF is deemed to be a form of censorship and is seen as preventing the public from accessing the information that it needs or should know. Furthermore, the Advocate General[9] has also stated that the RtbF entails an interference with the freedom of expression of the publisher, as its publication will thus become more difficult for internet users to locate.[10]

 

Secondly, the RtbF mechanism that enables users to directly request that Google remove certain items also has its pros and cons. Some people think this mechanism is an efficient one, while others believe that it gives too much power to Google – who act in the role of a judge – thus it may lead to censorship by a private company.

 

Thirdly, under the judgment of the CJEU, an exception is granted for data subjects who are exposed to the public sphere – i.e., public figures. Since there are insufficient guidelines from the court, it seems that the criteria for the designation of public figures will have to proceed on a case-by-case basis. Everyone can agree that a celebrity is considered a public figure, for example, but what about an athlete? A CEO? A priest? Or even a criminal? It is thus important for the government to set adequate criteria in order to define public figures, otherwise, similar cases will produce different judgments.

 

Fourthly, there is an ongoing discussion relating to how effective the RtbF will ultimately prove to be in terms of protecting an individual’s privacy or of stopping the dissemination of data subjects’ personal data through the internet.

 

 

Referring to the above, the wording of the RtbF provision as set out under the GDPR and the Amendment to the EIT Law are not the same. The wording of the RtbF provision under Indonesian Law will, at the least, have two different impacts from those of the EU. I will now highlight these impacts, which will possibly manifest themselves after the RtbF provision has been enacted in Indonesia.

 

 

Under the GDPR, the EU differentiates between the term “controller” and “processor”. This distinction is important, as the GDPR only requires the controller, and not the processor, to remove personal data under the provision of the RtbF. The rationale behind this is that any such removal should be undertaken by the party who has control over the data.

 

Article 29 WP[11] makes a distinction between the “controller” and “processor” and aims to distinguish who is responsible for personal data and who is only acting on behalf of other parties.[12] Thus, not all companies who hold the personal data of data subjects are obliged under the GDPR to remove said data upon the request of the data subjects. Under Article 4 of the GDPR, a controller is defined as a party who determines the purposes and means of the processing of personal data.[13] Meanwhile, a processor is a party who processes data on behalf of the controller (including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing or destroying).[14]The controller can be deemed as a boss or the person in charge who determines what data should be processed, as well as why and how this process should be carried out. The processor should be the member of staff who will undertake the relevant job based on the instructions of the person in charge.[15]

 

However, it is very difficult in the current business climate to clearly distinguish between the concepts of controller and processor. In the Google Spain case, for example, there were a number of conflicting arguments that emerged between the states and Google as to whether the search engine company should be deemed as a controller or a processor.

 

Mr Gonzalez, together with the Spanish, Italian, Austrian and Polish Governments and the European Commission, considered Google to be a controller because it determines the means and purpose of the processing of the data.[16] On the other hand, Google argued that its activities should not be regarded as the processing of data, as Google did not display the relevant information on its site by affecting the selection of personal data and other information, and even if the activities of Google were deemed to involve the processing of personal data, Google was of the view that they were not the party responsible for determining the means and purposes of the personal data – so they could not ultimately be defined as a controller.

 

Finally, my recommendation to the Indonesian government is not to compound the uncertainties that surround the above concepts. The regulators and other stakeholders should not confuse the term “controller” and “processor” in relation to the enforcement of the RtbF. As long as the relevant electronic system providers have the capacity to remove the requested content from its sites, they should be obliged to do so.

 

 

“Google didn't ask to be the decision maker." - Eric Schmidt (Google Chairman)[17]

 

In Indonesia, the government has adopted a different stance from that of the EU in terms of how a request will proceed. In the EU, data subjects may send requests directly to the electronic-system provider or to the controller. Google, for instance, has set up a system that has received 1.5 million requests across all categories since this process began to be implemented across Europe (as quoted in an interview with Peter Fleischer which took place in August 2016).[18] The system was established in 2014 for users in the EU, the European Economic Area (i.e., Iceland, Liechtenstein, and Norway) and Switzerland,[19] just thirteen days after the judgment in the Google Spain Case was handed down. Upon receiving any requests, Google will now examine said requests and decide whether to take down any URLs that contain the personal data of users. On the other hand, the Indonesian government has decided that the courts should have the authority to determine whether or not the relevant URLs should be taken down.

One major drawback of granting authority to the Indonesian courts is the prevailing bureaucracy. Applying to the court can consume significant amounts of both time and energy, and in many cases, there will also be a distinct lack of certainty regarding anything that an Indonesian court does. Indeed, it is possible that two similar cases will generate completely different decisions, dependent on the panel of the judges dealing with the case. As a result of these factors, the granting of authority to the courts as regards this area may ultimately make data subjects reluctant to apply. Thus, this provision will not achieve its goals, as data subjects will become disinclined to exercise their rights in the context of a dysfunctional system.

On the other hand, the granting of authority to Indonesian courts may also offer some incentives as regards the implementation of the RtbF in Indonesia.

 

 

The requirement for private companies to operate their own RtbF systems may place a burden upon the finances of such companies. Google, as one of the world’s leading tech giants, has around 100 employees who deal solely with RtbF requests.[20] Indeed, Google is planning to hire more employees in order to handle the extra workload.[21] However, few companies have the financial resources of Google at their disposal. Indeed, many tech companies are start-ups which are dependent upon donator funding. Are such companies also required to implement similar systems?

 

 

One of the critiques of the prominent role of Google in the implementation of the RtbF provision is the role of Google as a private company acting as a private administrative agency, including quasi-lawmaking, quasi-adjudicative and quasi-enforcement powers.[22]Google’s European Communications Director, Peter Barron, has stated: “Google never expected or wanted to make… These complicated decisions that would in the past have been extensively examined in the courts…”

 

There are some risks involved in granting Google, a private company, the authority to adjudicate upon issues of data protection, including lack of transparency. Indeed, both applicants and the general public may not receive adequate information on how a company strikes a balance between the right to privacy and the right to freedom of expression, as well as the reasons as to why any requests that they make are either approved or rejected. This is despite the fact that Google has already committed to publishing transparency reports in order to explain any information that they have removed.

 

Furthermore, it seems that there are no specific criteria that Google uses in order to decide whether or not to delete certain information. Indeed, Peter Fleischer stated in an interview: “If it is not a public figure and it is a minor issue, and there is not much public interest in it, we would probably remove it.”[23] – this quote reveals a lack of certainty as regards any determination of whether content should be removed. Ultimately, the RtbF is a derogation of the right to privacy, which is an integral part of any overarching framework of human rights. Human rights involve positive obligations which the state has to respect, protect and implement. Thus, the state has the biggest role to play in enforcing the human rights of its citizens. The court is one of the primary state agencies that have the authority to grant decisions relating to human rights and other matters. That is why courts may be the most relevant agency as regards dealing with the RtbF issue.

 

Finally, the implementation of the RtbF indeed shows that progress is being made in relation to the protection of personal data within Indonesia. However, there can also be a regression if the government does not think carefully about the side and ripple effects of the implementation of any such provision. Indeed, the implementation of the RtbF across the EU still incites various controversies, despite the fact that the EU is seen as a role model for other countries within the context of privacy. Thus, I recommend that the Indonesian government should sit back and invite all stakeholders working in the field of privacy (including data subjects) to engage in further discussions on the proposed implementing regulation which will address the RtbF. In order to keep up with the increasingly complex issues which are starting to arise due to the fundamental clash between privacy and freedom of expression, the Indonesian government needs to draft and pass a comprehensive legislation on the RtbF.

 

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official position of Hukumonline.com