A Child’s Right to be Forgotten: Letting Go of the Past and Embracing the Future?

Eva Lievens

Affiliation:

Carl Vander Maelen

Affiliation:

Date Received:

Date Accepted:

Date:

Publication Date (Print):

DOI: https://doi.org/10.29263/lar02.2019.03

Abstract

The European Union’s General Data Protection Regulation confirms the right of the data subject to have his or her personal data erased in its Article 17. Recital 65 GDPR clarifies that this right is particularly relevant where children have given their consent not being fully aware of the risks involved by the processing, and later want to remove personal data, especially on the Internet. Yet, the right to erasure is not absolute. When processing is necessary for a number of legitimate reasons, such as for the exercise of the right to freedom of expression and information, the right to erasure will not apply. This article seeks to explore the right to erasure from a dynamic child rights perspective, and aims to identify a number of challenging questions that may arise in practice, and that are related to the balance with other rights and interests, the required transparency, the potential to ask for erasure where others (for instance, parents) have shared information about the child or given consent on behalf of the child, the desirability of erasure-by-default systems, and enforcement by Data Protection Authorities.

Keywords:

Right to be forgotten

right to erasure

General Data Protection Regulation

child

children’s rights

data protection

freedom of expression

data protection authorities

El derecho al olvido de los niños: ¿dejar atrás el pasado y aceptar el futuro?

El artículo 17 del Reglamento General de Protección de Datos de la Unión Europea (RGPD) confirma el derecho de los sujetos a que sus datos personales sean eliminados. La razón 65 del RGPD aclara que este derecho es particularmente relevante cuando un niño da su consentimiento sin ser plenamente consciente de los riesgos que implica el tratamiento, y más adelante quiere suprimir tales datos personales, especialmente en internet. Sin embargo, el derecho de supresión no es absoluto. Cuando el tratamiento es necesario por varias razones legítimas, como para el ejercicio del derecho a la libertad de expresión e información, el derecho de supresión no aplica. Este artículo busca explorar el derecho de supresión desde la perspectiva dinámica del derecho de los niños, y busca identificar varias preguntas complicadas que pueden surgir en la práctica, y que están relacionadas con el equilibrio con otros derechos e intereses, la transparencia requerida, el potencial de solicitar la supresión cuando terceros (por ejemplo, los padres) han compartido información sobre el niño o dado consentimiento en nombre del niño, la conveniencia de los sistemas de supresión por defecto, y la aplicación de la regulación por parte de las autoridades de protección de datos.

Palabras clave:

Derecho al olvido

derecho de supresión

Reglamento General de Protección de Datos

niños

derechos de los niños

protección de datos

libertad de expresión

autoridades de protección de datos

1. INTRODUCTION

The so-called ‘right to be forgotten’ is a potentially very powerful tool to enhance children’s rights in the digital environment, yet it is also a fiercely discussed topic in the context of the European Union’s data protection framework. Even though the right to erasure had already been included in Article 12 of the Data Protection Directive1 since 1995,2 the concept of being ‘forgotten’ on the Internet was catapulted to the forefront of public and academic debate in 2014 by the Google Spain judgment of the Court of Justice of the European Union (CJEU).3 It confirmed that the ‘right to be forgotten’ might be enforced, allowing a data subject “to restrict or terminate dissemination of personal data that he considers to be harmful or contrary to his interests”.4

The General Data Protection Regulation (GDPR), the EU’s newest data protection instrument that entered into force on 25 May 2018, contains in its Article 17, ‘the right to erasure’, with ‘the right to be forgotten’ added after it in the title, between parentheses. This formulation reflects earlier discussions on the extent to which these rights differ from each other or actually mean or aim to achieve the same.5 According to the European Data Protection Supervisor, Article 17 ‘strengthens’ the right to erasure “into a right to be forgotten to allow for a more effective enforcement of this right in the digital environment”.6 It is also our view that Article 17 GDPR does not create a new right, but rather describes the right to erasure in a much more detailed and explicit manner than before. In fact, it stipulates that the data subject (the person whose data is processed) has “the right to obtain from the controller the erasure of personal data concerning him or her without undue delay” in a variety of circumstances, such as when the data are no longer necessary for the purposes for which they have been collected, or when consent is withdrawn, or the data subject objects to the processing. This obligation is thus incumbent on the ‘controller’, a term that indicates any “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.7 Since the GDPR applies to all entities —whether established in the EU or not— that offer goods or services to, or monitor the behaviour of EU citizens,8 the territorial scope is wide enough to extend to data controllers (e.g. online service providers) from potentially anywhere in the world.

Another innovation that was not included in the 1995 Data Protection Directive is the explicit manner in which the GDPR emphasises the relevance of the right to be forgotten for children. Children and adolescents might not be fully aware of the fact that their personal data is processed, nor of the fact that there is a variety of actors who process their data (such as government administrations, schools, business enterprises, and other individuals). Research has found, for instance, that young teenagers might not be commercially literate enough to realise that their data are used for commercial purposes.9 Additionally, children might not always be able to envisage the long-term consequences of disclosing personal information, especially in the digital environment.10 As they grow older, they might not want to be linked to information with which they do not longer identify. In such cases, the right to erasure enables a mitigation of the persistence, visibility, spreadability, and searchability of online information, which can hamper their exploration of, and experimentation with their identity.11

This article seeks to explore the right to erasure from a dynamic child rights perspective, arguing that for children in particular, the right to be forgotten might prove of significant importance to aid the realisation of their rights to development, freedom of expression and information, and private life. It also aims to identify a number of challenging questions that may arise in practice, such as considerations regarding the balance that should be struck with other rights and interests; the transparency required of controllers in informing children about the right to erasure; the desirability of default systems; the potential to ask for erasure where others (for instance, parents) have shared information about the child or given consent on behalf of the child; and, finally, the enforcement by Data Protection Authorities (DPA’s).

Although the debate about the right to erasure has also been of importance in jurisdictions outside of the European Union, such as in Colombia,12 Brazil13 and California,14 the focus of this article is limited to the right as conceptualised in the GDPR, and the human and children’s rights frameworks that underpin the rights that the right to erasure might help realise. These frameworks not only encompass those of the European Union (EU) and Council of Europe (CoE), and the human rights documents issued by those institutions, but also include the United Nations Convention on the Rights of the Child (UNCRC), ratified by 195 countries worldwide.

2. THE RIGHT TO ERASURE FOR CHILD DATA SUBJECTS

In contrast to its predecessor, the GDPR does devote specific attention to the protection of the personal data of children. Recital 38 acknowledges that this particular group of data subjects merits ‘specific protection’ regarding their personal data. Although the notion “child” is not defined in the GDPR, it has been argued both by scholars and Article 29 Working Party (WP29), that, in accordance with the UNCRC, ratified by all EU Member States, a child is a person under the age of 18 years.15

Recital 38 reflects children’s general right to privacy that directly stems from the UNCRC and is shaped by Article 6 on the child’s right to development, Article 8 on the right of the child to preserve his or her identity, and Article 16 on the right of the child not to be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence.16 The child’s right to privacy and data protection, as well as to such protection and care as is necessary for his or her well-being, are also both indirectly and directly included in the CoE European Convention on Human Rights (ECHR)17 and the EU Charter on Fundamental Rights (CFREU).18

These rights are interpreted differently for children than they are for adults because children are not yet psychologically and physically mature,19 but are developing physically and mentally to become adults. The EU WP29 confirmed that the rights of the child, and the exercise of those rights —including that of data protection— should be expressed in a way that appreciates this special situation which children find themselves in.20

The right to be forgotten in particular is a right that recognises both the immaturity and the development of children.

Recital 65 GDPR literally states that this right is of particular relevance for children if consent to processing has been given as a child who “is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the Internet”. This has also been pitched as the ‘clean slate’ argument: ‘sins’ committed while growing up, should not haunt someone forever.21

It is undeniable that information that is posted, shared or disseminated on the Internet can have an enormous impact on an individual’s private life. Due to its easy accessibility and global reach, the Internet has facilitated an increase in privacy-related risks and infringements, such as harassment.22 The abuse of a teenager’s private information by others is all the more harmful in this digital society where the Internet is omnipresent and where results of an online search “may do more than anything else in the world to define a stranger in others’ estimations”.23 It must be reiterated in this regard that children are not always aware of the gravitas of the information that they share, or of the longevity with which it is stored. Furthermore, in addition to data that is consciously shared by a child, van der Hof also points to ‘data given off’ —which is data that just by being and acting online through computers and mobile devices, is collected, mostly unconsciously or unknowingly— and ‘inferred data’ —which is new data that is derived from other data, consisting of patterns and correlations.24 Consequently, the possibility to erase information with which they no longer identify when growing older may truly be in the child’s ‘best interests’, in line with Article 3 UNCRC and Article 24 (2) CFREU.25

For data controllers, it means that if children’s personal data have been collected and processed, “particular weight” should be given “to any request for erasure if the processing of the data is based upon consent given by a child, especially any processing of their personal data on the Internet”.26 This is also the case when the data subject who requests the erasure of certain data is no longer a child and when parents consented on his or her behalf as a child.27 The question arises of whether data controllers should ask data subjects for further information that could confirm their identity, in order to avoid circumstances where individuals could request the erasure of data about others. In this respect, the UK Information Commissioner’s Office has stated that if there are any doubts about the identity of the person making the request, data controllers can ask for more information, while ensuring that the only information requested is that which is necessary to confirm who the data subject is.28

Equally important is the fact that “where the controller has made the data public, […] [he] must take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”.29 In the digital environment, which is permeated with spreadability of information, this obligation is essential, yet difficult to implement. Especially with respect to the ‘data given off’ and ‘inferred data’, mentioned above, this might be very complex, or even unfeasible. Data Protection Authorities (DPAs) have clarified that this is an obligation of means or endeavour, instead of an obligation of result.30

In general, it should be as easy for a child to exercise their right to erasure as it originally was to provide the data.31 However, in practice, this will not always be so straightforward or even possible, for instance, because other rights are at stake.32

3. BALANCING THE RIGHT TO ERASURE WITH OTHER RIGHTS AND INTERESTS

Article 17 GDPR recognises that the right to erasure is not absolute. When processing is necessary for a number of legitimate reasons, most notably the exercise of the right to freedom of expression and information, it will not apply.33

A balance between privacy and personal data protection on one hand,34 and the freedom of expression on the other, is incredibly difficult to obtain. After all, these rights are fundamental rights guaranteed by Articles 8 and 11 CFREU and Articles 8 and 10 ECHR, and, as such, considered to be of equal value.35

In particular, freedom of expression and information are basic elements of a democratic society, as the CoE’s European Court of Human Rights (ECtHR) has stated in countless cases regarding Article 10 of the Convention. This led many to express grave worries concerning the impact of a far-reaching right to be forgotten on other fundamental rights.36 Following the Google Spain case, several news organisations also objected to Google removing links to their articles from its search results.37

The importance of the open nature of the Internet, and how it contributes to the freedom of expression and information, has been strongly defended,38 and echoed in a number of ECtHR judgments: the Internet enhances access to news and facilitates “the sharing and dissemination of information generally”.39

Prima facie it seems problematic to justify a drastic interference such as erasing information with the right to freedom of expression. However, there are many who believe that the right to be forgotten on the Internet is necessary because of the digital environment’s inherent ‘eternity effect’40 as well as the difficulty in removing online content or a social media account.41 However, in certain circumstances, the right to freedom of expression must prevail. For example, if a child grows up to be a public figure (like a politician),42 their online past could be relevant to the public which would be a reason to refuse the erasure of his or her personal data, a possibility recognised in recital 65 GDPR.43 The extent to which the information concerned is relevant to the public interest will be a guiding criterion in the balancing exercise between the right to a private life and personal data protection, and the freedom to receive information.

In this respect, we argue that human judgment is necessary to evaluate whether a request for erasure should indeed be complied by, whether it would risk negatively impacting the freedom of expression, or whether one of the other exemptions laid down in Article 17(3) applies. This requires investment in (new) staff to investigate claims for erasure, as the alternative —the deployment of automated systems or algorithms to decide upon such claims— might not be able to appreciate context44 nor be able to carry out the balancing exercise described above. At the same time, risks of over-compliance must be mitigated, as companies might seek to avoid legal disputes and thus (automatically) erase information in any case of doubt, resulting —in turn— in negative repercussions on freedom of expression.

4. TRANSPARENCY AND THE CHILD’S RIGHT TO ERASURE

Awareness and knowledge about the right to erasure are prerequisites to a meaningful exercise thereof. The principle of transparency, put forward in Article 5 (1) a) GDPR, is further elaborated in Articles 12, 13 and 14 GDPR. Data controllers must, according to Article 13 (2) b) and Article 14(2) c) GDPR, inform the data subject of the existence of the right to request, from the controller, access to and rectification or erasure of personal data. This information should “be specific to the processing scenario and include a summary of what the right involves and how the data subject can take steps to exercise it and any limitations on the right”.45 Additionally, the information must be communicated in a concise, transparent, intelligible and easily accessible manner, using clear and plain language, in particular when children are addressed. This means that the vocabulary, tone and style of the language used must be appropriate to and resonate with children.46 Examples given of ways in which this information can be conveyed are, for instance, comics or cartoons, pictograms and animations.47 Data controllers might actually test the child-friendliness of the information that they need to share with children through user panels48 or focus groups composed of children (of different ages).

As such, informing children in a way that makes them aware of their right to erasure and how to exercise this right will not reach or empower each and every child. There will always be children (and the same goes for adults) who will not absorb or assimilate such information, and, hence, not put their rights into practice.

5. THE DESIRABILITY OF ERASURE-BY-DESIGN SYSTEMS FOR CHILDREN’S DATA?

A possible remedy for the finding that transparency can only do so much, could be the adoption of “erasure-by-design” with respect to children. The principles of data protection by design and default, which have been advocated for quite some time, were explicitly incorporated in Article 25 GDPR. These principles require data controllers to “implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects” and to “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.49 It has been suggested before that these principles present opportunities that might mitigate some of the issues with individual -children’s or parental- control over personal data, by incorporating individual control rights into the data systems operation, hence potentially making them more effective.50

With respect to children, proposals regarding erasure-by-design or default have been put forward in the past, for instance by the Canadian Public Interest Advocacy Centre (PIAC) in the context of the 2010 Government Consultation on A Digital Economy Strategy for Canada. As PIAC suggested:

Once children reach the age of majority, organisations that have collected and used personal information should no longer be permitted to retain the information gathered during the child’s “legal minority’ and should be required to remove the information immediately unless the newly adult person gives his or her explicit consent to the continued collection, use and possible future disclosure of their personal information gathered during their minority.51

Whereas such a mechanism could indeed put the ‘clean slate’ argument into practice, it would require taking the views of the data subject into consideration and necessitate his or her consent. Not all data subjects will want the personal data collected and processed during their youth to be erased.52 However, it could be imagined that this possibility is offered by data controllers when a data subject turns 18, at least in cases where controllers are actually aware of the age of the data subject.53

6. THE RIGHT TO ERASURE AND ‘SHARENTING’

During childhood and youth, personal data of children is not only collected or processed from the child. Information, such as pictures, videoclips or messages concerning the child, are often shared by parents (or other family members). This practice, often denoted as ‘sharenting’, a contraction between ‘sharing’ and ‘parenting’, is widespread.54 It has been argued to be “a practice of self-representation by and of parents and their parenting rather than, simply, parents’ supposedly unthinking exposure of their children”.55 However, others claim that sharenting may cause children substantial embarrassment and anxiety, and that harsh comments by third parties upon sharented information can negatively impact a child’s self-respect.56 In certain circumstances, the parents’ right to freedom of expression and to family-life can, hence, enter into conflict with the child’s right to privacy and data protection.57 As such, parents should “take the child’s best interests into consideration and consult the child about what is shared about them, in accordance with their age and maturity”.58 Yet, not all parents always actually abide by this principle. Furthermore, especially during adolescence, when the child is fully exploring his or her identity, parents and children may not see eye to eye.

In circumstances in which children are affected by sharenting and where dialogue with their parent(s) runs awry, the right to erasure could, in our view, in relation to data stemming from sharenting, be exercised by data subjects, either as a child that can be considered competent to do so (see below) or as an adult in relation to data that was processed when the data subject was still a child. Two caveats are worth noting in this regard. First, in circumstances where sharenting can be considered to be a “purely personal or household activity”, the GDPR and, hence, the right to erasure will not apply.59 Whether or not this is the case, will depend on the concrete circumstances of each case. Certain activities on social networking sites, for instance, could fall within this household exemption,60 others arguably not. Second, children that are not (yet) legally competent to exercise their right to erasure, and have to rely on their parent or guardian to do so, will evidently find themselves in a more difficult situation when it comes to the exercise of their right to erasure vis-à-vis their parent(s). In this regard, perhaps Article 80 (1) GDPR could provide for a remedy, as this allows a data subject to mandate a not-for-profit body, organisation or association with statutory objectives which are in the public interest, and active in the field of the protection of data subjects’ rights and freedoms to lodge the complaint on his or her behalf. It could be imagined that children could rely on child advocacy services or other organisations representing the interests of children to lodge a complaint on their behalf.61

7. EXERCISING THE RIGHT TO ERASURE AND THE ROLE OF DATA PROTECTION AUTHORITIES

As a general principle, data protection rights can be exercised by the person whose rights are at stake: the data subject.62 The exercise of rights under the GDPR should be easy, free and quick. Recital 59 clarifies that

Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Of course, when children are involved, national legislation that includes rules on legal competence needs to be taken into account. Such rules might differ from country to country,63 and may depend on a specific age, or on maturity or a child’s level of understanding. With regard to the right to erasure, those younger than 18 that are considered to be legally competent will (and should) be able to exercise this right.64 Where children are not competent, the holder of parental responsibility can (usually) exercise the right on the child’s behalf,65 except, for instance, in cases where this is clearly not in the best interests of the child.66 Importantly, where the holder of parental responsibility does act on behalf of the child, the child’s right to be heard, as laid down in Article 12 UNCRC and Article 24 CFREU should be taken into account, in accordance with the child’s age and maturity.67

In practical terms, when the child or his or her representative wants to exercise the right to erasure, first, the data controller needs to be contacted with the request.68 Subsequently, the controller must provide information on the action taken with respect to the request without undue delay and, in any event, within one month of receipt of the request.69 If the controller decides not to take action, the data subject must be informed (again, without delay and at most within one month) of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.70 This means that in case a child or his or her representative is not satisfied with the decision of the data controller not to erase certain data, it is possible to file a complaint with the competent Data Protection Authority (DPA),71 which will investigate and assess the case.

In addition to complaining to a DPA, data subjects also have the right to an effective judicial remedy where they consider that their rights under the GDPR have been infringed, and can thus enforce their right to erasure before a (national) court. Ultimately, in case this proves unsatisfactory, disputes might, in the future —if the relevant procedural requirements are respected— end up at the CJEU, or —given the possible conflicts between the right to respect private life and the right to freedom of expression and information— within the context of Article 8 or 10 ECHR applications at the ECtHR. If this occurs, it will be interesting to see whether converging or diverging balancing exercises will be carried out by the two courts.

8. CONCLUSION

The digital environment is “reshaping children’s lives in many ways, resulting in new opportunities for and risks to their well-being and rights”.72 It is undeniable that throughout childhood, and sometimes even before, ever-increasing amounts of personal data relating to children are collected and processed. One of the starting points of the GDPR is that natural persons should have control of their own personal data.73 The right to erasure is one mechanism that allows data subjects to exercise such control. It can only be welcomed that the GDPR emphasises that this right is particularly relevant for children, as it will allow them -at least to the extent that they wish-to let go of the past. In certain instances, this will be necessary in order for them to be able to fully embrace the future.

As such, we argue that the exercise of this right must be approached from a children’s rights perspective. This entails that, except in narrowly interpreted circumstances where other interests prevail, the balance should tip towards erasure when children exercise their right. In any case, the primary consideration in assessing requests must be the child’s best interests and their rights to development and respect for private life. All actors involved —data controllers, parents and DPAs— must commit to this.

Of course, the potential of the right to erasure with respect to the child data subject can only be realised if subjects are aware of the existence of this right and if the threshold for the exercise thereof is sufficiently low. Although this may be in part accommodated by enhancing children’s media or data literacy levels, in the end, data controllers should facilitate both child-friendly information and a child-friendly procedure, and, if not, DPAs will be able to hold them accountable.74 At this point in time, it is very hard to predict how the right to erasure will be put into practice with respect to children’s data. The coming months and years will bring more clarity in terms of the extent to which data subjects embrace the right, best practices by data controllers, guidance and decisions by DPAs, and, perhaps, judgments of courts in disputes.

BIBLIOGRAPHY

Legislation and Policy Documents

A. United Nations

1. 

United Nations. “Convention on the Rights of the Child”. UNTS 1577, 1989.

B. Council of Europe

2. 

Council of Europe. “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”. ETS 108, 1981.

3. 

Council of Europe. “Draft guidelines to promote, protect and fulfil children’s rights in the digital environment”. 2017.

4. 

Council of Europe. “Recommendation CM/Rec (2018)2 of the Committee of Ministers to member States on the roles and responsibilities of Internet intermediaries”. March 7, 2018.

C. European Union

5. 

European Parliament and European Council. “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. Official Journal L. 281. November 23, 1995.

6. 

European Commission. “Nellie Kroes, Speech: Freedom of Expression is No Laughing Matter”. September 2, 2014.

7. 

European Parliament and European Council. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”. Official Journal of the European Union L 119/1.

8. 

Fundamental Rights Agency. “Children’s rights and justice: Minimum age requirements in the EU”. 2018.

D. Article 29 Working Party

9. 

Article 29 Working Party. “Working Document 1/2008 on the protection of children’s personal data”. February 18, 2008.

10. 

Article 29 Working Party. “Opinion 5/2009 on online social networking”. June 12, 2009.

11. 

Article 29 Working Party. “Opinion 2/2010 on online behavioural advertising”. June 22, 2010.

12. 

Article 29 Working Party. “Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12”. November 26, 2014.

13. 

Article 29 Working Party. “Guidelines on transparency under Regulation 2016/679”. April 11, 2018.

E. Brazil

14. 

PLC 53/2018 (Data Protection Bill of Law) (July 10, 2018).

F. California

15. 

California Assembly, Assembly Bill n.° 375 (California Consumer Privacy Act of 2018) (June 28, 2018).

G. Colombia

16. 

Law 1266 of 2008. “Por la cual se dictan las disposiciones generales del hábeas data y se regula el manejo de la información contenida en bases de datos personales, en especial la financiera, crediticia, comercial, de servicios y la proveniente de terceros países y se dictan otras disposiciones”. December 31, 2008. DO: 47219.

Case law

A. Court of Justice of the European Union

17. 

Court of Justice of the European Union. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12). May 13, 2014.

18. 

Court of Justice of the European Union. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12). May 13, 2014. Opinion of Advocate General Jääskinen, point 108.

B. European Court of Human Rights

19. 

European Court of Human Rights. Neij and Kolmisoppi v. Sweden, n.° 40397/12. February 19, 2013.

20. 

European Court of Human Rights. Wegrzynowski and Smolczewski v. Poland, n.° 33846/07. July 16, 2013, para. 56.

C. Colombian Constitutional Court

21. 

Colombian Constitutional Court. Sentencia T-444/92 (M.P. Alejandro Martínez Caballero: July 7, 1992).

Doctrine

A. Books

22. 

Boyd, Danah. It’s complicated: the social lives of networked teens. New Haven: Yale University Press, 2014.

B. Contributions in books

23. 

Ciavarella, Rachele and Cecil De Terwangne. “Online Social Networks and young people’s privacy protection: the role of the right to be forgotten”. In Minding minors wandering the web: regulating online child safety, edited by Simone van der Hof, Bibi van den Berg and Bart Schermer (La Haya: Asser Press Springer, 2014), 157-172.

24. 

Groothuis Marga M. “The Right to Privacy for Children on the Internet”. In Minding minors wandering the web: regulating online child safety, edited by Simone van der Hof, Bibi van den Berg and Bart Schermer (La Haya: Asser Press Springer, 2014), 143-156.

25. 

Lievens, Eva, Sonia Livingstone, Sharon McLaughlin, Brian O’Neill and Valerie Verdoodt. “Children’s Rights and Digital Technologies”. In International Human Rights of Children, edited by Ursual Kilkelly and Toon Liefaard (Singapur: Springer, 2018), 1-27.

26. 

van der Hof, Simone. “No Child’s Play: Online Data Protection for Children”. In Minding minors wandering the web: regulating online child safety, edited by Simone van der Hof, Bibi van den Berg and Bart Schermer (La Haya: Asser Press Springer, 2014), 127-142.

C. Articles

27. 

Bessant, Claire. “Sharenting: balancing the conflicting rights between parents and children”. Communications Law 23, n.° 1 (2018): 7-24, http://nrl.northumbria.ac.uk/33818/

28. 

Blum-Ross, Alicia and Sonia Livingstone. “’Sharenting,’ parent blogging, and the boundaries of the digital self”. Popular Communication 15, n.° 2 (2017): 115-125, https://doi.org/10.1080/15405702.2016.1223300

29. 

Blume, Peter. “The data subject”. European Data Protection Law Review 1, n.° 4 (2015): 258-264, https://doi.org/10.21552/EDPL/2015/4/4

30. 

Bunn, Anna. “The curious case of the right to be forgotten”. Computer Law & Security Review 31, n.° 3 (2015): 336-350, https://doi.org/10.1016/j.clsr.2015.03.006.

31. 

Cofone, Ignacio N. “Google v. Spain: A Right To Be Forgotten?” Chicago-Kent Journal of International and Comparative Law 15, n.° 1 (2015): 1-11, https://papers.ssrn.com/sol3/papers. cfm?abstract_id=2548954.

32. 

Koops, Bert-Jaap, “Forgetting Footprints, Shunning Shadows: A Critical Analysis of the ‘Right to Be Forgotten’ in Big Data Practice”. SCRIPTed 8, n.° 3 (2011): 229-256, http://dx.doi.org/10.2139/ssrn.1986719.

33. 

Kulk, Stefan and Frederik Zuiderveen Borgesius. “Google Spain v. Gonzalez: Did the Court Forget about Freedom of Expression?” European Journal of Risk Regulation 5, n.° 3 (2014): 389-398, https://ssrn.com/abstract=2491486.

34. 

Lievens, Eva and Valerie Verdoodt. “Looking for needles in a haystack: key issues affecting children’s rights in the General Data Protection Regulation”. Computer Law & Security Review 34, n.° 2 (2018): 269-78, https://doi.org/10.1016/j.clsr.2017.09.007.

35. 

Steinberg, Stacey. “Sharenting: children’s privacy in the age of social media”. Emory Law Journal 66 (2017): 839-884, https://ssrn.com/abstract=2711442.

36. 

Van der Hof, Simone. “I agree… or do I? – A rights-based analysis of the law on children’s consent in the digital world”. Wisconsin International Law Journal 34 (2017): 409-445, http://hdl.handle.net/1887/58542.

37. 

Van der Hof, Simone y Eva Lievens. “The importance of privacy by design and data protection impact assessments in strengthening protection of children’s personal data under the GDPR”. Communications Law 23, n.° 1 (2018): 33-43, https://ssrn.com/abstract=3107660.

D. Blog posts

38. 

Livingstone, Sonia and Ólafsson, Kjartan. “Children’s commercial media literacy: new evidence relevant to UK policy decisions regarding the GDPR”. Media Policy Project (blog), January 26, 2017. http://blogs.lse.ac.uk/mediapolicyproject/2017/01/26/childrens-commercial-media-literacy-new-evidence-relevant-to-uk-policy-decisions-regarding-the-gdpr/.

39. 

Peers, Steve. “The CJEU’s Google Spain Judgment: Failing to Balance Privacy and Freedom of Expression”. EU Law Analysis (blog), May 13, 2014. http://eulawanalysis.blogspot. co.uk/2014/05/the-cjeusgoogle-spain-judgment-failing.html.

40. 

Rolando, Caro. “How “The Right to Be Forgotten” Affects Privacy and Free Expression”. IFEX (blog), July 21, 2014. https://www.ifex.org/europe_central_asia/2014/07/21/right_forgotten.

41. 

Vassall-Adams, Guy. “Case comment: Google Spain SL, Google Inc vs. Agencia Española de Protección de Datos, Mario Costeja González”. Eutopia Law (blog), May 16, 2014. https://eutopialaw.com/2014/05/16/case-comment-googlespain-sl-google-inc-v-agencia-espanola-de-proteccion-de-datos-mario-costeja-gonzalez/.

Media

42. 

Arthur, Charles. 2014. “UK news organisations criticise Google over implementation of new law”. The Guardian, July 3. https://www.theguardian.com/technology/2014/jul/03/google-right-to-be-forgotten-law-uk-news-search-requests.

43. 

Romano, Aja. 2018. “How Facebook made it impossible to delete Facebook”. Vox, March 22. https://www.vox.com/culture/2018/3/22/17146776/delete-facebook-difficult.

44. 

Zittrain, Jonathan. 2014. “Don’t Force Google to ‘Forget’”. The New York Times, May 14. https://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html.

Miscellaneous

45. 

European Data Protection Supervisor. “Opinion on the data protection reform package”. March 7, 2012.

46. 

Fundamental Rights Agency and Council of Europe. “Handbook on European Data Protection Law 2018 edition”. 2018.

47. 

Gegevensbeschermingsautoriteit. “Het recht om uw gegevens te laten wissen”. https://www.gegevensbeschermingsautoriteit.be/het-recht-om-uw-gegevens-te-laten-wissen-art-17-avg#overlay-context=.

48. 

Lansdown, Gerison. “Every child’s right to be heard: A resource guide on the UN Committee on the Rights of the Child General Comment n.° 12”, 2011, https://www.unicef.org/french/adolescence/files/Every_Childs_Right_to_be_Heard.pdf.

49. 

Public Interest Advocacy Centre. “Submission to the Government Consultation on A Digital Economy Strategy for Canada”, 2010, https://corporationscanada.ic.gc.ca/eic/site/028.nsf/eng/00217.html#p3.2.3.

50. 

Reporters Without Borders. “EU court enshrines “right to be forgotten”, in Spanish case against Google”. May 14, 2014, https://rsf.org/en/news/eu-court-enshrines-right-be-forgotten-spanish-case-against-google.

51. 

UK Information Commissioner’s Office. “Guide to the GDPR – Right to erasure”. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/.

52. 

UK Information Commissioner’s Office. “Guide to the GDPR – Children”. https://ico.org. uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/what-rights-do-children-have/#_Right_to_be.

53. 

Walz, Stefan. “Relationship between the freedom of the press and the right to informational privacy in the emerging information society”, 19th International Data Protection Commisars Conference, 1997.

Notes

[1] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L. 281, November 23, 1995, 31–50; no longer in force. Article 12 stipulated that “Member States shall guarantee every data subject the right to obtain from the controller: […] (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data […]”.

[2] As well as Article 9 (1) e) of the 1981 Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

[3] Court of Justice of the European Union, (Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González). C-131/12 (May 17, 2014).

[4] Court of Justice of the European Union, (Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González). C-131/12 (May 17, 2014). Opinion of Advocate General Jääskinen, point 108.

[5] See, for instance, Bert-Jaap Koops, “Forgetting Footprints, Shunning Shadows: A Critical Analysis of the ‘Right to Be Forgotten’ in Big Data Practice”. SCRIPTed 8, n.° 3 (2011): 229-256, http://dx.doi.org/10.2139/ssrn.1986719; Ignacio N. Cofone, “Google v. Spain: A Right To Be Forgotten?” Chicago-Kent Journal of International and Comparative Law 15, n.° 1 (2015): 1-11, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2548954.

[6] “Opinion on the data protection reform package”, European Data Protection Supervisor, March 7, 2012, point 146.

[7] The EU General Data Protection Regulation (GDPR). Article 4 (7) May 25, 2018.

[8] GDPR. Article 3.

[9] Sonia Livingstone and Kjartan Ólafsson, “Children’s commercial media literacy: new evidence relevant to UK policy decisions regarding the GDPR”, Media Policy Project (blog), January 26, 2017, http://blogs.lse.ac.uk/mediapolicyproject/2017/01/26/childrens-commercial-media-literacy-new-evidence-relevant-to-uk-policy-decisions-regarding-the-gdpr/.

[10] Rachele Ciavarella and Cecil De Terwangne, “Online Social Networks and young people’s privacy protection: the role of the right to be forgotten”, in Minding minors wandering the web: regulating online child safety. eds., Simone van der Hof, Bibi van den Berg y Bart Schermer (La Haya: Asser Press Springer, 2014), 158; GDPR. Recital 65. May 25, 2018.

[11] Danah Boyd, It’s complicated: the social lives of networked teens (New Haven: Yale University Press, 2014).

[12] The Colombian ‘habeas data’ principle is enshrined in Article 15 of the Colombian Constitution, and has been further developed in the context of financial services. See: Corte Constitutional Colombia, T-444/92 July 7, 1992 MP Alejandro Martínez Caballero; Law 1266 of 2008, December 31, 2008. Disposiciones generales del hábeas data. Diario oficial 47219.

[13] Such as Brazil’s Data Protection Bill, which foresees two instances of erasure in its Article 18. Section IV states that the data subject has the right to obtain “deletion of data unnecessary, excessive or processed contrary to the Bill.” Section VI goes further by determining that erasure can also be obtained “of personal data processed with the consent of the holder, except in the cases provided for in Art. 16 of this Law”. See: Brazil Senate, PLC 53/2018 (Data Protection Bill of Law) (10 July 2018).

[14] California Assembly, Assembly Bill No. 375 (California Consumer Privacy Act of 2018) (28 June 2018). Its version of the right to be forgotten can be found in Article 1798.105, and the Bill will enter into force on January 1, 2020. In addition, the Online Eraser Law was adopted in 2013 (California Senate, Senate Bill No. 568 (Online Eraser Law) (23 September 2013)).

[15] Simone van der Hof, “I agree… or do I? - A rights-based analysis of the law on children’s consent in the digital world”, Wisconsin International Law Journal 34, n.° 2 (2017): 409-445, http://hdl.handle.net/1887/58542; “Guidelines on transparency under Regulation 2016/679” Article 29 Working Party, April 11, 2018, 10.

[16] Marga M. Groothuis, “The Right to Privacy for Children on the Internet”, in Minding minors wandering the web: regulating online child safety. eds., Simone van der Hof, Bibi van den Berg and Bart Schermer (La Haya: Asser Press Springer, 2014), 152.

[17] European Court of Human Rights (ECHR). Article 8. September 3, 1953.

[18] Charter of Fundamental Rights of the European Union (CFREU). Articles 7, 8 and 24. December 18, 2000.

[19] Simone van der Hof, “No Child’s Play: Online Data Protection for Children”, in Minding minors wandering the web: regulating online child safety, eds., Simone van der Hof, Bibi van den Berg and Bart Schermer (La Haya: Asser Press Springer, 2014), 129.

[20] “Working Document 1/2008 on the protection of children’s personal data,” Article 29 Working Party, February 18, 2008; “Opinion 2/2010 on online behavioural advertising”, Article 29 Working Party, June 22, 2010; “Opinion 5/2009 on online social networking”, Article 29 Working Party, June 12, 2009.

[21] Anna Bunn, “The curious case of the right to be forgotten”, Computer Law & Security Review 31, n.° 3 (2015): 336-350, https://doi.org/10.1016/j.clsr.2015.03.006; Simone van der Hof y Eva Lievens, “The importance of privacy by design and data protection impact assessments in strengthening protection of children’s personal data under the GDPR”, Communications Law 23, n.° 1 (2018): 37, https://ssrn.com/abstract=3107660.

[22] Council of Europe. “Recommendation of the Committee of Ministers to member States on the roles and responsibilities of internet intermediaries. CM/Rec (2018)2”, March 7, 2018.

[23] Jonathan Zittrain, “Don’t Force Google to ‘Forget’”, The New York Times, May 14, 2014, https://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html.

[24] Simone van der Hof, “I agree… or do I? - A rights-based analysis of the law on children’s consent in the digital world”, Wisconsin International Law Journal 34, (2017): 409-445, http://hdl.handle.net/1887/58542.

[25] Eva Lievens and Valerie Verdoodt, “Looking for needles in a haystack: key issues affecting children’s rights in the General Data Protection Regulation”, Computer Law & Security Review 34, n.° 2 (2018): 269-278, https://doi.org/10.1016/j.clsr.2017.09.007. The UN Convention on the Rights of the Child 1989 (UNCRC) recognizes children as holders of fundamental rights rather than mere objects of protection. The best interest of the child entails that “in all actions concerning children […] the best interests of the child shall be the primary consideration” (Art 3 UNCRC).

[26] “Guide to the GDPR – Right to erasure,” UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/.

[27] GDPR. Recital 65.

[28] GDPR. Article 12 (6); “Guide to the GDPR – Right to erasure,” UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/.

[29] GDPR. Article 17(2).

[30] “Het recht om uw gegevens te laten wissen”, Gegevensbeschermingsautoriteit, https://www.gegevensbeschermingsautoriteit.be/het-recht-om-uw-gegevens-te-laten-wissen-art-17-avg#overlay-context=; “Opinion of the data protection reform package”, European Data Protection Supervisor, March 7, 2012, 147.

[31] “Guide to the GDPR – Right to erasure”, UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/. Recital 65 GDPR.

[32] Peter Blume, “The data subject”, European Data Protection Law Review 1, n.° 4 (2015): 258-264. https://doi.org/10.21552/EDPL/2015/4/4.

[33] See Article 17(2) GDPR. Other reasons are “for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise or defence of legal claims”. Recital 4 GDPR also emphasizes the importance of balancing the various rights at stake more in general: “The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”

[34] Whether personal data protection is considered as a subset of privacy, or as a standalone right.

[35] European Court of Human Rights, Wegrzynowski and Smolczewski v. Poland, n.° 33846/07, July 16, 2013, para. 56.

[36] Stefan Kulk and Frederik Zuiderveen Borgesius, “Google Spain v. Gonzalez: Did the Court Forget about Freedom of Expression?”, European Journal of Risk Regulation 5, n.° 3 (2014): 389, https://ssrn.com/abstract=2491486; Steve Peers, “The CJEU’s Google Spain Judgment: Failing to Balance Privacy and Freedom of Expression”, EU Law Analysis, (2014), http://eulawanalysis.blogspot.co.uk/2014/05/the-cjeusgoogle-spain-judgment-failing.html; Caro Rolando, “How “The Right to Be Forgotten” Affects Privacy and Free Expression”, IFEX, (2014), https://www.ifex.org/europe_central_asia/2014/07/21/right_forgotten; Guy Vassall-Adams, “Case comment: Google Spain SL, Google Inc v. Agencia Española de Protección de Datos, Mario Costeja González”, Eutopia Law, (2014), https://eutopialaw.com/2014/05/16/case-comment-googlespain-sl-google-inc-v-agencia-espanola-de-proteccion-de-datos-mario-costeja-gonzalez/; “EU court enshrines “right to be forgotten” in Spanish case against Google”, Reporteros sin Fronteras, May 14, 2014, https://rsf.org/en/news/eu-court-enshrines-right-be-forgotten-spanish-case-against-google.

[37] Charles Arthur, “UK news organisations criticise Google over implementation of new law”, The Guardian, July 3, 2014, https://www.theguardian.com/technology/2014/jul/03/google-right-to-be-forgotten-law-uk-news-search-requests.

[38] Nellie Kroes, Speech: “Freedom of Expression is No Laughing Matter,” European Commission, September 2, 2014, http://europa.eu/rapid/press-release_SPEECH-14-575_en.htm.

[39] European Court of Human Rights, Neij and Kolmisoppi v. Sweden, n.° 40397/12, February 19, 2013.

[40] Stefan Walz, “Relationship between the freedom of the press and the right to informational privacy in the emerging information society”, 19th International Data Protection Commisars Conference, 1997.

[41] Aja Romano, “How Facebook made it impossible to delete Facebook”, Vox, March 22, 2018, https://www.vox.com/culture/2018/3/22/17146776/delete-facebook-difficult.

[42] “Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12;” Article 29 Working Party, November 26, 2014, http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf, 2: “The interest of the public will be significantly greater if the data subject plays a role in public life”.

[43] Peter Blume, “The data subject”, European Data Protection Law Review 1, n.° 4 (2015): 258-264, https://doi.org/10.21552/EDPL/2015/4/4.

[44] Council of Europe. “Recommendation CM/Rec (2018)2 of the Committee of Ministers to member States on the roles and responsibilities of Internet intermediaries”, March 7, 2018.

[45] “Guidelines on transparency under Regulation 2016/679,” Article 29 Working Party, April 11, 2018, http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025.

[46] Ibid. 10; GDPR. Recital 58.

[47] Guidelines on transparency under Regulation 2016/679,” Article 29 Working Party, April 11, 2018, http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025, 12.

[48] Ibid. 7.

[49] GDPR. Article 25.

[50] Simone van der Hof and Eva Lievens, “The importance of privacy by design and data protection impact assessments in strengthening protection of children’s personal data under the GDPR”, Communications Law 23, n.° 1 (2018): 35, https://ssrn.com/abstract=3107660.

[51] “Submission to the Government Consultation on A Digital Economy Strategy for Canada”, Public Interest Advocacy Centre, 2010, https://corporationscanada.ic.gc.ca/eic/site/028.nsf/eng/00217.html#p3.2.3.

[52] Simone van der Hof and Eva Lievens, “The importance of privacy by design and data protection impact assessments in strengthening protection of children’s personal data under the GDPR”, cit., 37.

[53] Many children lie about their age when creating profiles for services that restrict the use of their services to children above a certain age.

[54] Claire Bessant, “Sharenting: balancing the conflicting rights between parents and children”, Communications Law 23, n.° 1 (2018): 7, http://nrl.northumbria.ac.uk/33818/.

[55] Alicia Blum-Ross and Sonia Livingstone, “‘Sharenting’, parent blogging, and the boundaries of the digital self”, Popular Communication 15, n.° 2 (2017): 115-125, https://doi.org/10.1080/15405702.2016.1223300.

[56] Claire Bessant, “Sharenting: balancing the conflicting rights between parents and children”, Communications Law 23, n.° 1 (2018): 7, http://nrl.northumbria.ac.uk/33818/.

[57] Stacey Steinberg, “Sharenting: children’s privacy in the age of social media”, Emory Law Journal 66 (2017): 839, https://ssrn.com/abstract=2711442; Eva Lievens, Sonia Livingstone, Sharon McLaughlin, Brian O’Neill and Valerie Verdoodt, “Children’s Rights and Digital Technologies”, in International Human Rights of Children, eds., Ursual Kilkelly y Toon Liefaard (Singapur, Springer, 2018) 11.

[58] Ibid.

[59] GDPR. Article 2 (2) c). See also: Claire Bessant, “Sharenting: balancing the conflicting rights between parents and children”, Communications Law 23, n.° 1 (2018): 18, http://nrl.northumbria.ac.uk/33818/.

[60] GDPR. Recital 18; “Handbook on European Data Protection Law 2018 edition”, Fundamental Rights Agency and Council of Europe, 2018, 103 et seq.

[61] “Guide to the GDPR – Children,” UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/what-rights-do-children-have/#_Right_to_be.

[62] Handbook on European Data Protection Law 2018 edition”, Fundamental Rights Agency and Council of Europe, 2018.

[63] “Children’s rights and justice: Minimum age requirements in the EU,” Fundamental Rights Agency, 2018.

[64] “Guide to the GDPR – Children,” UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/what-rights-do-children-have/#_Right_to_be

[65] “Guide to the GDPR – Children”.

[66] “Guide to the GDPR – Children”.

[67] “Every child’s right to be heard: A resource guide on the UN Committee on the Rights of the Child General Comment No. 12,” Gerison Lansdown, 2011, https://www.unicef.org/french/adolescence/files/Every_Childs_Right_to_be_Heard.pdf.

[68] GDPR. Article 12.

[69] GDPR. Article 12 (3).

[70] GDPR. Article 12 (4).

[71] GDPR. Article 77.

[72] “Draft guidelines to promote, protect and fulfil children’s rights in the digital environment”, Council of Europe, 2017.

[73] GDPR. Recital 7.

[74] GDPR. Article 5 (2).

[1] N. del trad.: Las razones expresadas en la exposición de motivos del RGPD están enumeradas consecutivamente, y el término utilizado en la versión en español para identificarlas es “razón”. En inglés se utiliza el término “recital”. En la traducción de este artículo se usan los términos “razón” o “recital” indistintamente para hacer alusión al correspondiente apartado de la citada exposición de motivos.

[2] Directiva 95/46/EC del Parlamento Europeo y del Consejo, del 24 de octubre de 1995, relativa a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos, Diario Oficial L. 281, noviembre 23, 1995, 31-50; ya no está vigente. El artículo 12 estipulaba que “Los Estados miembros garantizarán a todos los interesados el derecho de obtener del responsable del tratamiento: […] (b) en su caso, la rectificación, la supresión o el bloqueo de los datos cuyo tratamiento no se ajuste a las disposiciones de la presente Directiva, en particular a causa del carácter incompleto o inexacto de los datos […]”.

[3] Así como el artículo 9 (1) e) del Convenio del Consejo de Europa para la Protección de las Personas con respecto al Tratamiento Automatizado de Datos Personales.

[4] Tribunal de Justicia de la Unión Europea. (Google Spain SL y Google Inc. vs. Agencia Española de Protección de Datos (AEPD) y Mario Costeja González). C-131/12 (17 mayo, 2014).

[5] Tribunal de Justicia de la Unión Europea. (Google Spain SL y Google Inc. vs. Agencia Española de Protección de Datos (AEPD) y Mario Costeja González). C-131/12 (17 de mayo, 2014). Opinión del Abogado General Jääskinen, punto 108.

[6] Véase, por ejemplo: Bert-Jaap Koops, “Forgetting Footprints, Shunning Shadows: A Critical Analysis of the ‘Right to Be Forgotten’ in Big Data Practice”. SCRIPTed 8, n.º 3 (2011): 229-256, http://dx.doi.org/10.2139/ssrn.1986719; Ignacio N. Cofone, “Google v. Spain: A Right To Be Forgotten?”. Chicago-Kent Journal of International and Comparative Law 15, n.º 1 (2015): 1-11, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2548954.

[7] Supervisor Europeo de Protección de Datos. Opinion on the data protection reform package. Punto 146. (Marzo 7, 2012).

[8] Reglamento General de Protección de Datos (RGPD). Artículo 4 (7). Mayo 25 de 2018.

[9] Reglamento General de Protección de Datos (RGPD). Artículo 3. Mayo 25 de 2018.

[10] Sonia Livingstone y Kjartan Ólafsson, “Children’s commercial media literacy: new evidence relevant to UK policy decisions regarding the GDPR”, Media Policy Project (blog), 26 de enero de 2017, https://blogs.lse.ac.uk/mediapolicyproject/2017/01/26/childrens-commercial-media-literacy-new-evidence-relevant-to-uk-policy-decisions-regarding-the-gdpr/.

[11] Rachele Ciavarella y Cecil De Terwangne, “Online Social Networks and young people’s privacy protection: the role of the right to be forgotten”, en Minding minors wandering the web: regulating online child safety. eds., Simone van der Hof, Bibi van den Berg y Bart Schermer (La Haya: Asser Press Springer, 2014), 158; Reglamento General de Protección de Datos (RGPD). Recital 65. Mayo 25 de 2018.

[12] Danah Boyd, It’s complicated: the social lives of networked teens (New Haven: Yale University Press, 2014).

[13] El principio colombiano de “habeas data” está consagrado en el artículo 15 de la Constitución Política, y se ha desarrollado más a fondo en el contexto de los servicios financieros. Véase Corte Constitucional de Colombia. Sentencia T-444 del 7 de Julio de 1992 (MP: Alejandro Martínez Caballero); Ley 1266 de 2008, 31 de diciembre de 2008. Disposiciones generales del hábeas data. Diario oficial 47219.

[14] Como el proyecto de ley de protección de datos de Brasil, que prevé dos instancias para la supresión en su artículo 18. La sección IV establece que el interesado tiene derecho a obtener “la supresión de datos innecesarios, excesivos o tratados de manera contraria al proyecto”. La sección VI va más allá al determinar que la supresión también se puede obtener en el caso de “datos personales tratados con el consentimiento del interesado, excepto en los casos previstos en el art. 16 de esta Ley”. Véase Senado de Brasil PLC 53/2018. (Proyecto de Ley de Protección de Datos) (10 de julio de 2018).

[15] Asamblea de California, Assembly Bill n.º 375 (California Consumer Privacy Act of 2018) (28 de junio de 2018). Su versión del derecho al olvido se puede encontrar en el artículo 1798.105, y el proyecto de ley entrará en vigencia el 1.º de enero de 2020. Además, la Ley borrador en línea (Online Eraser Law) se adoptó en 2013 (California Senate, Senate Bill n.º 568 [Online Eraser Law] [23 September 2013]).

[16] Simone van der Hof, “I agree… or do I? - A rights-based analysis of the law on children’s consent in the digital world”, Wisconsin International Law Journal 34, n.º 2 (2017): 409-445, http://hdl.handle.net/1887/58542; “Guidelines on transparency under Regulation 2016/679”, Grupo de Trabajo del Artículo 29, 11 de abril de 2018, 10.

[17] Marga M. Groothuis, “The Right to Privacy for Children on the Internet” en Minding minors wandering the web: regulating online child safety. eds., Simone van der Hof, Bibi van den Berg y Bart Schermer (La Haya: Asser Press Springer, 2014), 152.

[18] Convención Europea de Derechos Humanos. Artículo 8. Septiembre 3, 1953.

[19] Carta de los Derechos Fundamentales de la Unión Europea. Artículos 7, 8 y 24. Diciembre 18, 2000.

[20] Simone van der Hof, “No Child’s Play: Online Data Protection for Children” en Minding minors wandering the web: regulating online child safety, eds., Simone van der Hof, Bibi van den Berg y Bart Schermer (La Haya: Asser Press Springer, 2014), 129.

[21] “Working Document 1/2008 on the protection of children’s personal data”, Grupo de Trabajo del Artículo 29, febrero 18 de 2008; “Opinion 2/2010 on online behavioural advertising”, Grupo de Trabajo del Artículo 29, junio 22 de 2010; “Opinion 5/2009 on online social networking”, Grupo de Trabajo del Artículo 29, junio 12 de 2009.

[22] Anna Bunn, “The curious case of the right to be forgotten”, Computer Law & Security Review 31, n.º 3 (2015): 336-350, https://doi.org/10.1016/j.clsr.2015.03.006; Simone van der Hof y Eva Lievens, “The importance of privacy by design and data protection impact assessments in strengthening protection of children’s personal data under the GDPR”, Communications Law 23, n.º 1 (2018): 37, https://ssrn.com/abstract=3107660.

[23] Consejo de Europa. Recommendation of the Committee of Ministers to member States on the roles and responsibilities of internet intermediaries. CM/Rec(2018)2. (Marzo 7, 2018).

[24] Jonathan Zittrain, “Don’t Force Google to ‘Forget’”, The New York Times, 14 de mayo de 2014, https://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html.

[25] Simone van der Hof, “I agree… or do I? - A rights-based analysis of the law on children’s consent in the digital world”, Wisconsin International Law Journal 34, (2017): 409-45, https://hdl.handle.net/1887/58542.

[26] Eva Lievens y Valerie Verdoodt, “Looking for needles in a haystack: key issues affecting children’s rights in the General Data Protection Regulation”, Computer Law & Security Review 34, n.º 2 (2018): 269-278, https://doi.org/10.1016/j.clsr.2017.09.007. La Convención de las Naciones Unidas sobre los Derechos del Niño de 1989 reconoce a los niños como titulares de derechos fundamentales y no solo como simples objetos de protección. Esto implica que “en todas las medidas concernientes a los niños […] una consideración primordial a que se atenderá será el interés superior del niño” (artículo 3 de la Convención sobre los Derechos del Niño).

[27] “Guide to the GDPR-Right to erasure”, UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/.

[28] Reglamento General de Protección de Datos (RGPD). Recital 65. Mayo 25 de 2018.

[29] Reglamento General de Protección de Datos (RGPD). Artículo 12 (6). Mayo 25 de 2018; “Guide to the GDPR-Right to erasure”, UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/.

[30] Reglamento General de Protección de Datos (RGPD). Artículo 17 (2). Mayo 25 de 2018.

[31] “Het recht om uw gegevens te laten wissen”, Gegevensbeschermingsautoriteit, https://www.gegevensbeschermingsautoriteit.be/het-recht-om-uw-gegevens-te-laten-wissen-art-17-avg#overlay-context=; “Opinion of the data protection reform package”, European Data Protection Supervisor, 7 de marzo de 2012, 147.

[32] Guide to the GDPR-Right to erasure”, UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/; Reglamento General de Protección de Datos (RGPD). Recital 65. Mayo 25 de 2018.

[33] Peter Blume, “The data subject”, European Data Protection Law Review 1, n.º 4 (2015): 258-264. https://doi.org/10.21552/EDPL/2015/4/4.

[34] Véase Reglamento General de Protección de Datos (RGPD). Artículo 17 (2). Mayo 25 de 2018. Otras razones son “para el cumplimiento de una obligación legal que requiera el tratamiento de datos impuesta por el Derecho de la Unión o de los Estados miembros que se aplique al responsable del tratamiento, o para el cumplimiento de una misión realizada en interés público o en el ejercicio de poderes públicos conferidos al responsable; por razones de interés público en el ámbito de la salud pública de conformidad con el artículo 9, apartado 2, letras h e i, y apartado 3; con fines de archivo en interés público, fines de investigación científica o histórica o fines estadísticos, de conformidad con el artículo 89, apartado 1, en la medida en que el derecho indicado en el apartado 1 pudiera hacer imposible u obstaculizar gravemente el logro de los objetivos de dicho tratamiento; o para la formulación, el ejercicio o la defensa de reclamaciones”. El Recital 4 del RGPD también enfatiza la importancia de equilibrar los diferentes derechos en juego de manera más general: “El tratamiento de datos personales debe estar concebido para servir a la humanidad. El derecho a la protección de los datos personales no es un derecho absoluto sino que debe considerarse en relación con su función en la sociedad y mantener el equilibrio con otros derechos fundamentales, con arreglo al principio de proporcionalidad. El presente Reglamento respeta todos los derechos fundamentales y observa las libertades y los principios reconocidos en la Carta conforme se consagran en los Tratados, en particular el respeto de la vida privada y familiar, del domicilio y de las comunicaciones, la protección de los datos de carácter personal, la libertad de pensamiento, de conciencia y de religión, la libertad de expresión y de información, la libertad de empresa, el derecho a la tutela judicial efectiva y a un juicio justo, y la diversidad cultural, religiosa y lingüística”.

[35] Bien sea que la protección de datos personales se considere un derivado de la privacidad o un derecho autónomo.

[36] Tribunal Europeo de Derechos Humanos. (Wegrzynowski y Smolczewski vs. Polonia). 33846/07 (16 de julio, 2013). Para. 56.

[37] Stefan Kulk y Frederik Zuiderveen Borgesius, “Google Spain v. Gonzalez: Did the Court Forget about Freedom of Expression?”, European Journal of Risk Regulation 5, n.º 3 (2014): 389, https://ssrn.com/abstract=2491486; Steve Peers, “The CJEU’s Google Spain Judgment: Failing to Balance Privacy and Freedom of Expression”, EU Law Analysis, (2014), http://eulawanalysis.blogspot.co.uk/2014/05/the-cjeusgoogle-spain-judgment-failing.html;Caro Rolando, “How “The Right to Be Forgotten” Affects Privacy and Free Expression”, IFEX, (2014), https://www.ifex.org/europe_central_asia/2014/07/21/right_forgotten; Guy Vassall-Adams, “Case comment: Google Spain SL, Google Inc vs. Agencia Española de Protección de Datos, Mario Costeja González”, Eutopia Law, (2014), https://eutopialaw.com/2014/05/16/case-comment-googlespain-sl-google-inc-v-agencia-espanola-de-proteccion-de-datos-mario-costeja-gonzalez/; “EU court enshrines “right to be forgotten” in Spanish case against Google”, Reporteros sin Fronteras, 14 de mayo de 2014, https://rsf.org/en/news/eu-court-enshrines-right-be-forgotten-spanish-case-against-google.

[38] Charles Arthur, “UK news organisations criticise Google over implementation of new law”, The Guardian, (2014), https://www.theguardian.com/technology/2014/jul/03/google-right-to-be-forgotten-law-uk-news-search-requests.

[39] Nellie Kroes Speech: “Freedom of Expression is No Laughing Matter”, Comisión Europea, 2 de septiembre de 2014, https://europa.eu/rapid/press-release_SPEECH-14-575_en.htm.

[40] Tribunal Europeo de Derechos Humanos. (Neij y Kolmisoppi vs. Suecia). 40397/12 (19 de febrero, 2013).

[41] Stefan Walz, “Relationship between the freedom of the press and the right to informational privacy in the emerging information society”. 19ª Conferencia Internacional de Protección de Datos Personales, 1997.

[42] Aja Romano, “How Facebook made it impossible to delete Facebook”, Vox, (2018), https://www.vox.com/culture/2018/3/22/17146776/delete-facebook-difficult.

[43] “Guidelines on the implementation of the Court of Justice of the European Union judgment on Google Spain and Inc vs. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González”. C-131/12, Grupo de Trabajo del Artículo 29, 26 de noviembre de 2014, http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf, 2: “The interest of the public will be significantly greater if the data subject plays a role in public life”.

[44] Peter Blume, “The data subject”, European Data Protection Law Review 1, n.º 4 (2015): 258-264, https://doi.org/10.21552/EDPL/2015/4/4.

[45] Consejo de Europa. Recommendation of the Committee of Ministers to member States on the roles and responsibilities of internet intermediaries. CM/Rec(2018)2. (Marzo 7, 2018).

[46] “Guidelines on transparency under Regulation” 2016/679, Grupo de Trabajo del Artículo 29, 11 de abril de 2018, https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025.

[47] “Guidelines on transparency under Regulation” 2016/679, Grupo de Trabajo del Artículo 29, 11 de abril de 2018, 10, http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025; Reglamento General de Protección de Datos (RGPD). Recital 58.

[48] “Guidelines on transparency under Regulation” 2016/679, Grupo de Trabajo del Artículo 29, 11 de abril de 2018, 12, https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025.

[49] “Guidelines on transparency under Regulation” 2016/679, Grupo de Trabajo del Artículo 29, 11 de abril de 2018, 7, https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025.

[50] Reglamento General de Protección de Datos (RGPD). Artículo 12 (6). Mayo 25 de 2018.

[51] Simone van der Hof y Eva Lievens, “The importance of privacy by design and data protection impact assessments in strengthening protection of children’s personal data under the GDPR”, Communications Law 23, n.º 1 (2018): 35, https://ssrn.com/abstract=3107660.

[52] “Submission to the Government Consultation on A Digital Economy Strategy for Canada”, Public Interest Advocacy Centre, 2010, https://corporationscanada.ic.gc.ca/eic/site/028.nsf/eng/00217.html#p3.2.3.

[53] Simone van der Hof y Eva Lievens, “The importance of privacy by design and data protection impact assessments in strengthening protection of children’s personal data under the GDPR”, Communications Law 23, n.º 1 (2018): 37, https://ssrn.com/abstract=3107660.

[54] Muchos niños mienten sobre su edad cuando crean perfiles en servicios que restringen su uso a niños mayores de cierta edad.

[55] Claire Bessant, “Sharenting: balancing the conflicting rights between parents and children”, Communications Law 23, n.º 1 (2018): 7, https://nrl.northumbria.ac.uk/33818/.

[56] Alicia Blum-Ross y Sonia Livingstone, “‘Sharenting’, parent blogging, and the boundaries of the digital self”, Popular Communication 15, n.º 2 (2017): 115-125, https://doi.org/10.1080/15405702.2016.1223300.

[57] Claire Bessant, “Sharenting: balancing the conflicting rights between parents and children”, Communications Law 23, n.º 1 (2018): 7, https://nrl.northumbria.ac.uk/33818/.

[58] Stacey Steinberg, “Sharenting: children’s privacy in the age of social media”, Emory Law Journal 66, (2017): 839, https://ssrn.com/abstract=2711442; Eva Lievens, Sonia Livingstone, Sharon McLaughlin, Brian O’Neill y Valerie Verdoodt, “Children’s Rights and Digital Technologies”, en International Human Rights of Children, eds., Ursual Kilkelly y Toon Liefaard (Singapur, Springer, 2018) 11.

[59] Reglamento General de Protección de Datos (RGPD). Artículo 2 (2) c. Mayo 25 de 2018. Véase también: Claire Bessant, “Sharenting: balancing the conflicting rights between parents and children”, Communications Law 23, n.º 1 (2018): 18, https://nrl.northumbria.ac.uk/33818/.

[60] Reglamento General de Protección de Datos (RGPD). Recital 18. Mayo 25 de 2018; “Handbook on European Data Protection Law 2018 edition”, Agencia de los Derechos Fundamentales y Consejo de Europa, 2018, 103 et seq.

[61] “Guide to the GDPR-Children”, UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/what-rights-do-children-have/#_Right_to_be.

[62] “Handbook on European Data Protection Law 2018 edition”, Agencia de los Derechos Fundamentales y Consejo de Europa, 2018.

[63] “Children’s rights and justice: Minimum age requirements in the EU”, Agencia de los Derechos Fundamentales, 2018.

[64] “Guide to the GDPR-Children”, UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/what-rights-do-children-have/#_Right_to_be.

[65] “Guide to the GDPR-Children”, UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/what-rights-do-children-have/#_Right_to_be.

[66] “Guide to the GDPR-Children”, UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/what-rights-do-children-have/#_Right_to_be.

[67] “Every child’s right to be heard: A resource guide on the UN Committee on the Rights of the Child General Comment n.º 12”, Gerison Lansdown, 2011, https://www.unicef.org/french/adolescence/files/Every_Childs_Right_to_be_Heard.pdf.

[68] Reglamento General de Protección de Datos (RGPD). Artículo 12. Mayo 25 de 2018.

[69] Reglamento General de Protección de Datos (RGPD). Artículo 12 (3). Mayo 25 de 2018.

[70] Reglamento General de Protección de Datos (RGPD). Artículo 12 (4). Mayo 25 de 2018.

[71] Reglamento General de Protección de Datos (RGPD). Artículo 77. Mayo 25 de 2018.

[72] “Draft guidelines to promote, protect and fulfil children’s rights in the digital environment”, Consejo de Europa, 2017.

[73] Reglamento General de Protección de Datos (RGPD). Recital 7. Mayo 25 de 2018.

[74] Reglamento General de Protección de Datos (RGPD). Artículo 5 (2). Mayo 25 de 2018.