Tuesday, December 26, 2017

The Right to Be Forgotten in Indonesia: Progression or Regression?

| More
Ardhanti Nurwidya[1]
Ardhanti Nurwidya
“… is a tool begging for use by bad actors with short-term issues: the disreputable politician on the eve of election; the embezzler meeting a new client; the convicted abuser looking for a date. Mandating it by law is a big mistake.”[2] - Daphne Keller (former Google lawyer and Standford University scholar)
The Internet has a unique characteristic, in that once information has been posted online – it will theoretically stay there forever. In July 2010, Rosen penned an article for The New York Times titled The Web Means the End of Forgetting’. In the article, Rosen relates the story of Stacy Snyder, a high-school teacher who posted a picture of herself drunk above the caption “Drunken Pirate.” Her Alma Mater subsequentlydenied her the teaching degree that she had earned after the picture surfaced on the basis that, “She does not represent the university.”[3] Rosen went on to explain how the characteristics of the internet can thus be perceived as a threat within the context of data privacy.[4] This characteristic of the internet – the fact that it cannot forget – represents a challenge as regards the implementation of the Right to be Forgotten (“RtbF”) provision.
The RtbF existed as a concept as early as 1995, under the European Union Directive 95/46/EC on the protection of personal data (“Directive”). Under the Directive, the term “right to erasure” was used, instead of the Right to be Forgotten. However, it seems clear that the provision was not drafted with the dissemination of information over the internet specifically in mind. In 1995, the internet was not nearly as developed as it is today. Indeed, even Google wasn't incorporated until 1998, some three years after the issuance of the Directive. The term “right to erasure” thus lacked any significant context until Mario Costeja Gonzalez submitted a lawsuit directed at La Vanguardia and Google which specifically addressed “the right to erasure” provision.
Mr Gonzalez is a Spanish citizen and ultimately fought his RtbF case for a full five years. The case revolved around the fact that Mr Gonzalez was unhappy due to the fact that every time he “Googled” his name, he stumbled upon news articles from La Vanguardia which related to the announcement of a real-estate auction which followed the recovery of social security debts that he owed back in 1990. In its judgment, the Court Justice of the European Union (“Court”) decided that Google was ultimately the controller of the data in question and was thus obliged to remove the content which was deemed “inadequate, irrelevant or excessive about the purposes of the processing,”[5] as requested by Mr Gonzalez as a data subject. This judgment marked the adoption of the RtbF by the European Union (“EU”).
Two years after the judgment, the European Parliament adopted the General Data Protection Regulation (“GDPR”), which offered greater clarity on the provision of RtbF. The GDPR itself will enter into force in 2018 and any companies (which are located either within the EU or outside it) which do not follow the provision(s) will be fined. The graphic below shows the timeline for the implementation of the RtbF, from 1995 to 2018.
Indonesia is the first country in Asia to adopt the RtbF through the enactment of the Amendment to the EIT Law.[6] In addition to the Amendment to the EIT Law, the RtbF provision is also mentioned under: 1) Draft Law on the Protection of Personal Data (“Draft Law”); and 2) Ministry of Communications and Informatics Regulation No. 20 of 2016 on the Protection of Personal Data Held in Electronic Systems (“Minister’s Regulation”).

Article 26 of the Amendment to the EIT Law:

"Each Electronic System Provider is obliged to remove any Electronic Information and/or electronic documents that are/are no longer relevant, under their control, based on a request made by a relevant Person by court’s decree."

Article 11 of the Draft Law:

"The data subjects have the right to request removal of their personal data. Such removal should be undertaken for any personal data: 1) that does not have any value 2) for which the retention period has elapsed 3) for which no regulation prohibits the removal 4) which is not related to any ongoing legal proceedings.”

Article 20 of the Minister’s Regulation:

“If a data subject requests that his/her specific personal data should be removed, then such request for erasure shall be made under the relevant laws and regulation.”

The adoption of the RtbF in Indonesia encompasses various pros and cons. One of the pros is that the RtbF provides a higher level of protection to data subjects. Indonesia has a low level of protection as regards the privacy of data subjects. Under the previous draft of the EIT Law, the law only provided that the electronic system providers to obtain consent from data subjects. There were no further requirements which related to any levels of privacy as imposed by electronic system providers in order to protect the privacy of their users. Consent itself is a complicated theme, however, especially in the current era of big data. In a world where data is transferable between one processor and millions of others, we can never really be sure whether we have granted full consent as regards the processing of our personal data.
The adoption of the RtbF, together with the upcoming legislation on privacy, shows the commitment of the current government to protecting the privacy of its citizens. Thus, the adoption of the RtbF provision in Indonesia is indeed a sign of progress. However, it is not enough to merely issue a regulation. The Indonesian government should also consider how to enforce the various provisions which are set out in the issuing regulation.
The implementation of the RtbF within the EU itself is still proving controversial and several criticisms regarding the RtbF have been voiced. Firstly, based on the judgment of the Court, specifically paragraph 99, the judges have expressed the view that it is necessary to always strike a balance between the right to privacy and the freedom of expression. In her paper, Eleni Frantziou[7] wrote, “How much is too much protection of privacy?”
Frantziou believes that it is impossible to monitor whether a balance can be struck between these two rights.[8] The RtbF is seen as leaning too far towardsprivacy at the expense of freedom of expression. Hence the RtbF is deemed to be a form of censorship and is seen as preventing the public from accessing the information that it needs or should know. Furthermore, the Advocate General[9] has also stated that the RtbF entails an interference with the freedom of expression of the publisher, as its publication will thus become more difficult for internet users to locate.[10]
Secondly, the RtbF mechanism that enables users to directly request that Google remove certain items also has its pros and cons. Some people think this mechanism is an efficient one, while others believe that it gives too much power to Google – who act in the role of a judge – thus it may lead to censorship by a private company.
Thirdly, under the judgment of the CJEU, an exception is granted for data subjects who are exposed to the public sphere – i.e., public figures. Since there are insufficient guidelines from the court, it seems that the criteria for the designation of public figures will have to proceed on a case-by-case basis. Everyone can agree that a celebrity is considered a public figure, for example, but what about an athlete? A CEO? A priest? Or even a criminal? It is thus important for the government to set adequate criteria in order to define public figures, otherwise, similar cases will produce different judgments.
Fourthly, there is an ongoing discussion relating to how effective the RtbF will ultimately prove to be in terms of protecting an individual’s privacy or of stopping the dissemination of data subjects’ personal data through the internet.
Indonesian Legislation
Referring to the above, the wording of the RtbF provision as set out under the GDPR and the Amendment to the EIT Law are not the same. The wording of the RtbF provision under Indonesian Law will, at the least, have two different impacts from those of the EU. I will now highlight these impacts, which will possibly manifest themselves after the RtbF provision has been enacted in Indonesia.
1) Electronic System Providers as Controllers
Under the GDPR, the EU differentiates between the term “controller” and “processor”. This distinction is important, as the GDPR only requires the controller, and not the processor, to remove personal data under the provision of the RtbF. The rationale behind this is that any such removal should be undertaken by the party who has control over the data.
Article 29 WP[11] makes a distinction between the “controller” and “processor” and aims to distinguish who is responsible for personal data and who is only acting on behalf of other parties.[12] Thus, not all companies who hold the personal data of data subjects are obliged under the GDPR to remove said data upon the request of the data subjects. Under Article 4 of the GDPR, a controller is defined as a party who determines the purposes and means of the processing of personal data.[13] Meanwhile, a processor is a party who processes data on behalf of the controller (including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing or destroying).[14]The controller can be deemed as a boss or the person in charge who determines what data should be processed, as well as why and how this process should be carried out. The processor should be the member of staff who will undertake the relevant job based on the instructions of the person in charge.[15]
However, it is very difficult in the current business climate to clearly distinguish between the concepts of controller and processor. In the Google Spain case, for example, there were a number of conflicting arguments that emerged between the states and Google as to whether the search engine company should be deemed as a controller or a processor.
Mr Gonzalez, together with the Spanish, Italian, Austrian and Polish Governments and the European Commission, considered Google to be a controller because it determines the means and purpose of the processing of the data.[16] On the other hand, Google argued that its activities should not be regarded as the processing of data, as Google did not display the relevant information on its site by affecting the selection of personal data and other information, and even if the activities of Google were deemed to involve the processing of personal data, Google was of the view that they were not the party responsible for determining the means and purposes of the personal data – so they could not ultimately be defined as a controller.
Finally, my recommendation to the Indonesian government is not to compound the uncertainties that surround the above concepts. The regulators and other stakeholders should not confuse the term “controller” and “processor” in relation to the enforcement of the RtbF. As long as the relevant electronic system providers have the capacity to remove the requested content from its sites, they should be obliged to do so.
2) State Court or Google Court?
Google didn't ask to be the decision maker." - Eric Schmidt (Google Chairman)[17]
In Indonesia, the government has adopted a different stance from that of the EU in terms of how a request will proceed. In the EU, data subjects may send requests directly to the electronic-system provider or to the controller. Google, for instance, has set up a system that has received 1.5 million requests across all categories since this process began to be implemented across Europe (as quoted in an interview with Peter Fleischer which took place in August 2016).[18] The system was established in 2014 for users in the EU, the European Economic Area (i.e., Iceland, Liechtenstein, and Norway) and Switzerland,[19] just thirteen days after the judgment in the Google Spain Case was handed down. Upon receiving any requests, Google will now examine said requests and decide whether to take down any URLs that contain the personal data of users. On the other hand, the Indonesian government has decided that the courts should have the authority to determine whether or not the relevant URLs should be taken down.
One major drawback of granting authority to the Indonesian courts is the prevailing bureaucracy. Applying to the court can consume significant amounts of both time and energy, and in many cases, there will also be a distinct lack of certainty regarding anything that an Indonesian court does. Indeed, it is possible that two similar cases will generate completely different decisions, dependent on the panel of the judges dealing with the case. As a result of these factors, the granting of authority to the courts as regards this area may ultimately make data subjects reluctant to apply. Thus, this provision will not achieve its goals, as data subjects will become disinclined to exercise their rights in the context of a dysfunctional system.
On the other hand, the granting of authority to Indonesian courts may also offer some incentives as regards the implementation of the RtbF in Indonesia.
1) Removing unnecessary burdens from private companies
The requirement for private companies to operate their own RtbF systems may place a burden upon the finances of such companies. Google, as one of the world’s leading tech giants, has around 100 employees who deal solely with RtbF requests.[20] Indeed, Google is planning to hire more employees in order to handle the extra workload.[21] However, few companies have the financial resources of Google at their disposal. Indeed, many tech companies are start-ups which are dependent upon donator funding. Are such companies also required to implement similar systems?
2) Private companies act as private administrative agencies
One of the critiques of the prominent role of Google in the implementation of the RtbF provision is the role of Google as a private company acting as a private administrative agency, including quasi-lawmaking, quasi-adjudicative and quasi-enforcement powers.[22]Google’s European Communications Director, Peter Barron, has stated: “Google never expected or wanted to make… These complicated decisions that would in the past have been extensively examined in the courts…”
There are some risks involved in granting Google, a private company, the authority to adjudicate upon issues of data protection, including lack of transparency. Indeed, both applicants and the general public may not receive adequate information on how a company strikes a balance between the right to privacy and the right to freedom of expression, as well as the reasons as to why any requests that they make are either approved or rejected. This is despite the fact that Google has already committed to publishing transparency reports in order to explain any information that they have removed.
Furthermore, it seems that there are no specific criteria that Google uses in order to decide whether or not to delete certain information. Indeed, Peter Fleischer stated in an interview: “If it is not a public figure and it is a minor issue, and there is not much public interest in it, we would probably remove it.”[23] – this quote reveals a lack of certainty as regards any determination of whether content should be removed. Ultimately, the RtbF is a derogation of the right to privacy, which is an integral part of any overarching framework of human rights. Human rights involve positive obligations which the state has to respect, protect and implement. Thus, the state has the biggest role to play in enforcing the human rights of its citizens. The court is one of the primary state agencies that have the authority to grant decisions relating to human rights and other matters. That is why courts may be the most relevant agency as regards dealing with the RtbF issue.
Finally, the implementation of the RtbF indeed shows that progress is being made in relation to the protection of personal data within Indonesia. However, there can also be a regression if the government does not think carefully about the side and ripple effects of the implementation of any such provision. Indeed, the implementation of the RtbF across the EU still incites various controversies, despite the fact that the EU is seen as a role model for other countries within the context of privacy. Thus, I recommend that the Indonesian government should sit back and invite all stakeholders working in the field of privacy (including data subjects) to engage in further discussions on the proposed implementing regulation which will address the RtbF. In order to keep up with the increasingly complex issues which are starting to arise due to the fundamental clash between privacy and freedom of expression, the Indonesian government needs to draft and pass a comprehensive legislation on the RtbF.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official position of Hukumonline.com 
[1] Legal Counsel of Traveloka Group Companies
Master of Law in Advanced Studies in Law and Digital Technologies at Leiden University.
[2] Established in 1959 by the Council of Europe and thus distinct from – although often confused with – the European Court of Justice, which oversees EU Law, as cited in George Brook, p.75.
[3] Jeffrey Rosen, ‘The Web Means the End of Forgetting’, published July 21, 2010 http://www.nytimes.com/2010/07/25/magazine/25privacy-t2.html
[4] Ibid, at para 4.
[5] Google Spain Decision, para. 92-94.
[6] The EIT Law is Law No. 8 of 2011, as amended by Law No. 19 of 2016.
[7] Eleni Frantziou is a PhD candidate at University College London who has written a dissertation on ‘The Horizontal Effect of the Charter of Fundamental Rights of the EU’ https://www.laws.ucl.ac.uk/research-students/eleni-frantziou/ [Eleni Frantziou].
[8] Supra Note, Eleni Frantziou, p.770.
[9] Advocate General is senior officers of the law that assists the judges by providing their opinions toward the implementation of the law to the cases. The opinion of the Advocate General is not binding to the judges. However, in most cases, the judges’ decision will be in-line with the recommendation from the Advocate General.
[10] Stefan Kulk and Frederik Zuiderveen Borgesius, ‘Google Spain v. Gonzalez: Did the Court Forget about Freedom of Expression?’ (European Journal of Risk Regulation), 2014, p.6.
[11] Article 29 Working Party or Data Protection Working Party is an advisory body that was established as instructed by Article 29 of the Directive. It provides the European Commission with independent advice on data protection matters and helps in the development of harmonised policies for data protection in the EU Member States.
[12] Opinion 1/2010 on the concepts of “controller” and “processor”, p. 5 [Article 29 Working Party’s Opinion].
[13] Article 4 paragraph (7), GDPR.
[14] Article 4 paragraph (8) jo. (2), GDPR.
[15] Yvonne Cunnane, Head of Data Protection, Ireland and Jyn Schultze-Melling, Director of Privacy Policy for Europe, ‘A Basic Guide to European Data Protection’ accessed from https://newsroom.fb.com/news/h/a-basic-guide-to-european-data-protection/[A Basic Guide to European Data Protection]
[16] Google Spain Decision, Supra Note, para. 23.
[17] Claude Barfield, ‘The Misbegotten Right to be Forgotten’, accessed from https://www.usnews.com/debate-club/should-there-be-a-right-to-be-forgotten-on-the-Internet/the-misbegotten-right-to-be-forgotten in June 2017.
[19] The reason why Google added four non-EU member state countries to the list of countries able to enjoy the RtbF (i.e., Iceland, Liechtenstein, Norway and Switzerland) is that these countries are often closely aligned in terms of trade and other agreements with the EU member states, quoted from ‘How Google’s New “Right to be Forgotten” Form Works: An Explainer’ accessed from: http://searchengineland.com/google-right-to-be-forgotten-form-192837 [Google’s Form] in June 2017.
[20] Edward Lee, ‘Recognising Rights in Real Time: the Role of Google in the EU Right to be Forgotten’, Law Review Vol. 49: 1017, accessed from https://lawreview.law.ucdavis.edu/issues/49/3/Articles/49-3_Lee.pdf, p.1039. [Edward Lee]
[21] Sam Frizell, ‘There’s a Right to Be Forgotten Industry – and It’s Booming’ accessed from http://time.com/3002240/right-to-be-forgotten-2/ in July 2017.
[22] Edward Lee, Supra Note, p.107.
© Copyright 2000 - 2018 PT Justika Siar Publika. All rights reserved.