Exercise of the right to be forgotten in Turkey in terms of search engine results

Melis Sılacı Korkmaz
Kodiak Law & IP, Istanbul

Berrin Dinçer Özbey
Kodiak Law & IP, Istanbul

Nearly a quarter of the way into the 21st century, technology continues to be one of the areas where humanity has made the fastest progress. Although the ease of data access is one of the most important opportunities provided by technology, this convenience has negatively affected the right to privacy and created the risk of data being accessible indefinitely. The concept of the right to be forgotten has become prominent in order to strike a balance between privacy of individuals on the one hand and the public interest and freedom of expression on the other. 

Within the scope of this article, firstly, the right to be forgotten will be briefly explained in the light of personal data and the decision by the Court of Justice of the European Union ('CJEU') in the case of Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González. Thereafter, we will examine the decision of the Personal Data Protection Board dated 23 June 2020 and numbered 2020/481, which addressed how data subjects can use the right to be forgotten in terms of search engine results in Turkish Law.

Personal data, protection of personal data and the right to be forgotten

Concepts

According to subparagraph d of Article 3 of the Law No. 6698 on the Protection of Personal Data ('LLPD'), 'Any information relating to an identified or identifiable natural person' is defined as personal data.¹

As can be understood from the phrase 'any kind' chosen in the drafting of the article, personal data is not limited to private life; it includes all information related to a person, such as, but not limited to, a person's name, surname, date of birth, marital status, occupation, economic status, image, photograph, educational information, audio and/or video recordings.²

The main purpose of protecting personal data is to guarantee the privacy of individuals' private lives, and in order to achieve this, special measures are taken to protect the records kept by public bodies or the private sector through legal regulations.³

In recent years, with technology continuing to develop, the right to be forgotten has come to the forefront from the perspective of the right to protection of personal data. There is no definition of the right to be forgotten under Turkish law within the scope of existing domestic regulations. 

As for international regulations, although the right to be forgotten has been evaluated in various reports prepared by the United Nations and the Council of Europe in terms of privacy, protection of reputation, respect for private life and even personal data; there is no clear definition of the right to be forgotten.⁴

In the European Union ('EU'), the right to be forgotten was first defined under Article 17 of the General Data Protection Regulation ('GDPR'), which entered into force on 4 May 2016.⁵

The right to be forgotten can be briefly defined as the right of individuals to request the removal of access to their data.⁶ Therefore, the right to be forgotten in terms of search engine results can also be considered as a request for the removal of the data of individuals from the internet environment.⁷

CJEU decision in the case of Google Spain SL, Google Inc v Agencia Espanola de Protecction de Datos, Mario Costeja Gonzalez

Although the explicit legal regulation of the right to be forgotten in the EU emerged with the GDPR, this CJEU decision in 2014 has had a significant role in shaping how the right to be forgotten should be interpreted for EU citizens within the scope of personal data protection law.⁸

In the decision, Mario Costeja González, a Spanish resident and Spanish citizen, filed a complaint before the Spanish Data Protection Center ('AEPD') against La Vanguardia Ediciones SL, which owns La Vanguardia, a daily newspaper with a high circulation, Google Spain and Google Inc. In his complaint, he stated that by searching his name on the Google search engine, he found news articles in La Vanguardia, dated 19.01.1998 and 09.03.1998, concerning the auction sale of González's real estate, which had been seized due to his inability to pay his social security debts. In his complaint, González first requested that the newspaper remove the relevant pages or modify them so that they did not contain his personal data and did not appear in search engines, and that Google Inc. and Google Spain delete or hide the data concerning him so that the links to La Vanguardia did not appear in search results, since the matter concerning the news item in question had been settled many years ago.

The AEPD rejected the complaint against La Vanguardia on the grounds that the publication had a legitimate basis, that the publication was carried out at the request of the Ministry of Labour and Social Affairs, and that the foreclosure sale was aimed at reaching more bidders. However, the AEPD upheld the complaint against Google Inc and Google Spain on the grounds that the search engines had engaged in data processing and were therefore liable.

Following this decision, Google Inc. and Google Spain filed a lawsuit, and during the proceedings, the court sought the CJEU's interpretation. The CJEU stated that Google Inc. and Google Spain are data controllers and that the search engine operator is responsible for the removal from the results of a search for a person's name of the list of websites on which that person's name appears, even if the websites are not deleted and the publication is lawful, and set out the conditions for how Article 12/(b) and Article 14/1(a) of the Directive should be interpreted in terms of the right to be forgotten. The CJEU has also ruled that the results relating to the names of individuals and data on the internet must be deleted if they are 'invalid, incomplete, wholly irrelevant or subsequently rendered irrelevant'.⁹

The Article 29 Data Protection Working Party ('WP') published a guideline dated 26 November 2014 following the decision on the right to be forgotten, explaining how to implement that decision.

In the guideline, it is stated that data subjects can assert rights arising from both the Directive and statutory law against search engines acting as data controllers, that there is no obligation to contact the original website before or at the same time in order to assert the right, and that the data subject may first contact the webmaster if he/she wishes, or exercise his/her rights in respect of one or more search engines.¹⁰

The decision also sets out the conditions under which data subjects can exercise the right to be forgotten, and the WP guideline sets out a list of criteria to be taken into account by European data authorities when handling complaints.     

The decision of the CJEU is very important in terms of explicitly recognizing the activities of search engines as data processing activities, accepting them as data controllers, and determining that they are liable, and has also guided the Board's decision numbered 2020/481.¹¹

Exercise of the right to be forgotten under Turkish law

Although the right to be forgotten is not stipulated under the Turkish Law, the definition of the 'right to be forgotten' was mentioned for the first time in the decision of the General Assembly of Civil Chambers of the Court of Cassation dated E. 2014/4-56, K. 2015/1679 and dated 17 June 2015.

The right to be forgotten was also explicitly recognized by the Constitutional Court in the NBB decision dated 3 March 2016 and numbered 2013/5653 within the scope of Articles 17 and 20 of the Turkish Constitution.¹²

Lastly, the decision of the Personal Data Protection Board ('Board') in 2020 included an important assessment on how the right to be forgotten will be interpreted in terms of search engine results and framed the view of the right to be forgotten in terms of the right to protection of personal data.  

Board’s decision dated 23 June 2020 and numbered 2020/481 ¹³

In its decision dated 23 June 2020 and numbered 2020/481, in parallel with the CJEU decision, the Board stated that search engines are data controllers and their activities should be considered as personal data processing activities. Subsequently, the Board diverged from the CJEU's interpretation and stipulated that the data subjects must first apply to the search engines in order to exercise their rights. Applications to be made within the scope of exercising the right to be forgotten must be made by the data subject personally.¹⁴ 

If the data subject does not receive a response or receives a negative response within 30 days after applying to the data controller, in accordance with Article 13 of the LPPD, he/she has the right to file a complaint with the Board in accordance with Article 14 of the LPPD. With its decision numbered 2020/481, the Board, in parallel with the CJEU decision, considered that filing a complaint with the Board will not prevent a simultaneous application for a judicial remedy.

The Board further clearly underlined the need to strike a balance between the public interest and the fundamental rights and freedoms of the relevant person when assessing the right to be forgotten.¹⁵

Criteria to be evaluated in terms of requests to remove the names and surnames of relevant persons from search engine indexes

Subsequently, the Board provided a list of criteria for the evaluation of the applications to be made within this scope, set out a roadmap that can be considered as a guide for the applications, and added that the characteristics of the concrete dispute will also be taken into consideration.¹⁶ The criteria, which are in line with the requirements in the WP Guidelines, are as to whether:

1. The data subject is a public figure
2. The data subject is a child
3. The information is in accordance with the fair value
4. The information is related to the work life of the person
5. The information contains derogatory expressions and insults and constitutes slander
6. The information is not sensitive personal data
7. The information is up-to-date    
8. The information contains bias
9. The information poses risk
10. The information has been published by the data subject 
11. The information is related to a data processed within the scope of journalistic activity
12. The publication of the information is based on a legal obligation
13. The information is related to a criminal offense.

Not all of these conditions will apply in any given dispute, and the criteria applicable to the specific case will be taken into consideration. The burden of proof will remain with the party making the claim in terms of the conditions that require proof.

The Board applied the criteria it had determined in its decision dated 08.12.2020 and numbered 2020/927; and rejected the application of an academic claiming right to be forgotten in relation to news reports about irregularities in the recruitment of a family member to a vacant position at the same university. The Board determined that:

'the relevant person is working at a public university, an investigation was conducted by the university and the irregularity allegations turned out to be correct, the information is not sensitive personal data, up-to-date and related to the data subject’s current work life, and the content can be evaluated within the scope of journalistic activity.'¹⁷

Conclusion

While it is important in terms of individual rights to protect the right to privacy and the right to be forgotten against the risk of unnecessary and prolonged access to individuals' personal data, it should not be forgotten that the exercise of this right should not conflict with freedom of expression. 

Therefore, when applying the criteria set by the Board in parallel with the WP Guidelines, it is important to set the right balance between the privacy of private life and the freedom of expression in every concrete case. It is appropriate to avoid overly broad interpretations and to ensure a balance between the freedom of information and freedom of expression of the public, on the one hand, and the right to be forgotten on the other.