Since the advent of the Internet, the issue of human privacy remains one of the most controversial and problematic in the legal literature. The processing of personal data on the Internet is becoming more common, and nowadays it is an inevitable part of human life. Proper protection of human personal data within the EU, especially on the Internet, requires solving the problem of constant disclosure of such data. As soon as personal data is disclosed (primarily in the field of the Internet), it is usually available for an indefinite period of time. However, this practice creates serious risks of violating the right to privacy of the person. In this regard, the right to be forgotten, particularly in relation to digital space and internet activities, is a new legal phenomenon that reaches high relevance in the legal literature.

As it is known, when analyzing the right to be forgotten, we almost always intuitively slip into the sphere of protection of privacy and human personality.[1] This is not accidental, because often the justification for the emergence and development of this right is considered to be the protection of privacy, especially if we take into account that the concept of privacy is associated with the level of development of technology and its use in everyday life. The emergence of the phenomenon of the right to be forgotten in the EU’s legal reality can clearly be considered as a step forward in the question of ensuring the privacy protection of the data subject, giving him/her a carte blanche to protect his/her privacy in conditions when “the Internet never forgets”.[2] The right to be forgotten in the GDPR is based on existing rules to better manage the risks of data protection on the Internet. Thus, the right to be forgotten becomes one of the main mechanisms for preventing potential damage to human rights and his/her personality in the context of the datafication of society.

From the very beginning, the idea of the right to be forgotten is based on the desire to provide an effective remedy for the “criminal past”. As A. Mantelero points out, historically, the right to be forgotten arises from the need “of an individual to determine the development of his life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past”.[3] The right to be forgotten in this case has the justification of privacy as a fundamental right, the goal of which is to avoid possible damage that may be caused to the reputation of the individual.

At the same time, another justification for the right to be forgotten may be the concept of the right to personal identity. In this context, the right to be forgotten can expand its scope and gain a new dimension of essence. Information technologies have given a person the opportunity to project his/her identity in the digital space, which implies providing a person with those legal instruments with which he/she can do this, including through the right to be forgotten. Indeed, some elements of the right to be forgotten can be traced in the concept of the right to information self-determination, which a number of scholars recognize as one of the conceptual foundations of the right to data protection, enshrined in Article 8 of the EU Charter on Fundamental Rights (CFR), despite the fact that this right does not exist in EU law, but is peculiar to German law. In particular, the German Federal Constitutional Court (FCC), in its judicial practice on the “right to be forgotten” expanded information self-determination to include the commercial use of data by technology giants, since they limit the space of individual discretion and informational self-determination.

In 1983, the German Federal Constitutional Court (FCC) in its judgment, known as the Volkszählungsurteil,[4] declared the law authorizing the collection and exchange of census information between authorities unconstitutional (invalid). This judgment emphasized the “right to informational self-determination” arising from the constitutional interpretation of the consolidation of the general right to personality and protection of human dignity. Moreover, this judgment highlighted the need to protect personal data from automation interference and their relationship to autonomy and personal dignity. The Court in its judgment did not deny that data plays a dominant role in the development of public policy in solving public issues, however, it showed insufficient awareness of data subjects about the processing of their personal data to perform state functions in the field of taxation and social security. This decision provided the first insight into the differences in understanding of the right to privacy and the role of the positive right to data protection aimed at protecting the right to self-determination and human dignity.

The concept of information self-determination refers to the right and opportunity of each person to determine what information about him/her is disclosed to others, and for what purposes such information can be used. For some scholars, it also provides full control over the use of personal data to the individual. Moreover, the recital 7 of the GDPR also states that “[n]atural persons should have control of their own personal data”, so one can somewhat agree with those scholars who argue that the idea of information self-determination is the main reason for the GDPR. The GDPR-rights, including the right to be forgotten, are to some extent based on the concept of information self-determination, however, it is impossible to exercise full control through these rights due to important limitations of the rights themselves provided for in the GDPR. Thus, the right to be forgotten can be exercised only if one of a limited set of situations is provided. Therefore, it is not possible to say that data subjects have a general right to request the deletion of their personal data or object to the processing of their personal data. In this framework, some scholars, such as P. Bernal and N. Andrade, argue that the right to be forgotten can directly flow from the right to online identity.[5] In this understanding, the right gives the opportunity to choose the information, the data as the “building blocks” that will form his/her digital identity, the choice of “which information about him is and will be available and accessible”, as well as to maintain and control what will be his/her reputation and dignity, even post-mortem. This understanding of the right to be forgotten makes it possible to apply it more widely as a right “to determine for themselves when, how, and to what extent information about them is communicated to others” or as a right that gives an individual greater control over personal information. For example, N. Tirosh argues that this right is not a guarantee of privacy, but rather the right to create their own narrative, appealing to the fact that people are given more “right of control” over their own personal data and, therefore, their identity.[6]

The same information technologies have given the person himself the opportunity to project his identity in the digital space, for example, through the right to be forgotten. As N. Andrade notes: “The proposed conceptualization of the right to be forgotten not only makes sense from an identity point of view, it also contributes to the further development of the modern conception of identity, reinforcing its ‘anti-essentialistic’ understanding”.[7] Such a projection involves the creation of self-images in the digital space that reveal the elements of a person’s personality. With the creation of these self-images, a person’s digital life enters into another aspect of human existence, which, although closely related to traditional life, is nevertheless characterized by specific interactions with other people. Providing legal protection only to personal data, regardless of the protection of the individual himself, is erroneous: the personal data that make up a person’s digital life are not just data—they are the constituent elements of a digital personality. “All data about us, in fact, are components of our personality”,[8]—notes R. Richterich. Creating or choosing your own content for your digital identity involves providing a person with the legal tools with which they create and protect their choice. To paraphrase Benn, who points out that if an individual is confident that he/she can be himself/herself, he/she can believe in himself as a person: it can be said that the law should provide a person with confidence that he/she can be the person he/she wants to be.[9] In this sense, a person is a subject who realizes himself/herself as an agent choosing and trying to control his/her own course in the digital world. The new, informational nature of identity makes it a matter of data processing and information management, therefore many legal mechanisms that are provided and applied in the context of personal data protection can become legal tools for identity protection. Thus, G. Pino, characterizing the right to personal identity as a fairly flexible right, considers it closely related to the right to be forgotten and the right to personal data protection.[10]

The recognition of a person’s digital identity as a justification for the right to be forgotten corresponds to the case law of the CJEU, which reflects on the right to be forgotten as a certain emphasis on the assumption of the possibility of “managing” a digital person. In particular, in the judgment of the Google Spain case, a person is granted the right to withdraw a link from search engines.[11] As one can see, this judgment gives a person a tool that allows him/her to control his/her digital identity. Thus, the right to be forgotten becomes one of the tools for the formation of digital identity. Consideration of the right to be forgotten in this way may become a so-called paradigmatic shift in the issue of its justification of privacy, which will expand the scope of the right to be forgotten primarily through a departure from the balance with the right to expression or privacy for reasons of public interest. Also, they can only take place in exceptional circumstances, so the right to identity provides better protection than the right to privacy. In addition, such a justification can be deduced from the judicial practice of the ECtHR. The ECtHR has confirmed that “private life” is a broad term covering, among other things, aspects of physical and social identity, including the right to personal autonomy and personal development, as well as to establish and develop relationships with other people and the outside world.[12] The right to be forgotten can become the right to represent an actual identity.

From the above-mentioned point of view, the right of each person to create their own digital identity perimeter may become a new perspective on the recognition of the right to digital identity as the basis for informational self-determination. The GDPR states that individuals should have control over their personal data, and lays the foundation for recognizing the right to information self-determination, the content of which can be determined using the GDPR-rights, i.e. the rights to receive, delete, correct, access, object information, as well as restrict processing, data portability, and not be subject to a decision based solely on automated processing. We believe that recognizing the digital identity of an individual as a fundamental right will mean laying a new foundation for the rights provided for in the GDPR.

Thus, the right to be forgotten is a dynamic and multidimensional right that unites rights that have a different primary purpose, but have a common ultimate goal of protecting a person, his/her safety, honor, reputation, privacy, personal identity, and dignity in the digital sphere from potential damage. The right to be forgotten, which was originally born as the right to “forget one’s criminal past”, with the development of the Internet has the potential to become a broader right, with more opportunities and potential, having acquired a different essence as a response to the modern challenges of the “Internet that never forgets”.

We believe that the right to be forgotten can turn into the right to represent an actual personal identity, who a person is and who they want to represent in society. Determining the details of one’s physical and social identity contributes to personal development, since an individual has the right to such information, and this is important because of its influence on personality formation. Thus, our democratic society must ensure that we can participate in shaping our future identity, as well as be able to remove certain parts of our past. This emphasizes respect for the free choice of information by each individual. As Andrade points out, since a valid identity can prevail only when past identities are forgotten, the right to be forgotten can play an extremely important role, allowing an individual to reconstruct the narrative of identity with confidence that past identities will not undermine this process.[13]

Modern threats to the individual in the digital world cannot be leveled through the application of a modern legislative framework in the context of the right to privacy. The right to be forgotten is closely related to the ability to rethink oneself, form one’s identity, and present one’s actual identity to the world. From the point of view of ipse identity, the mechanisms specified in the GDPR cannot be considered effective since they do not help a person present himself to others as a person wants, however, the right to be forgotten has the potential to become mechanisms for protecting such identity. Considering the right to be forgotten in the context of personal identity may help to find a new balance of interests.

At the same time, as G. De Gregorio specifies: “[a]lthough, at first glance, the GPDR, as a milestone of European digital constitutionalism, aims to foster the protection of personal data in the Union, the application of data protection rules to the algorithmic environment is far from being straightforward. The implementation of artificial intelligence promises to provide new phases of growth for the internal market and foster fundamental freedoms while, at the same time, the massive processing of personal data through algorithmic technologies questions the basic foundation of data protection law and challenges the protection of fundamental rights and freedoms. This is primarily because there is an intimate connection between (constitutional) law and technology in this case due to the relevance of (personal) data in the algorithmic society”.[14]

In these circumstances, we believe that the existence of a digital person and digital life presupposes the expansion of the legal coordinates of the individual and reveals the need to develop more comprehensive mechanisms for protecting the individual in the digital world. In the context of the prospects and challenges of the development of the right to be forgotten in the EU, special attention should be paid to the need to develop mechanisms to protect the ipse identity. The right to be forgotten has the potential to become one of the mechanisms for protecting such an identity. We conclude that the scope of the right to be forgotten should be expanded and the right to personal identity and human dignity should be considered as a justification.

---

Mgr. Hovsep Kocharyan, Ph.D.

FinTech Lawyer

E-mail address: hovsep.kocharyan.1996@gmail.com

Mgr. Hovsep Kocharyan, Ph.D., is the Co-founder and Head of the Legal Department of Artlex Consult s.r.o. (Prague, Czech Republic), as well as a member of “Metaverse Bar Association” (Ontario, Canada).

He is an experienced FinTech lawyer, providing his legal and business support services in the field of payment systems (PSD2), crypto-industry, GDPR and data protection, AML/CFT compliance, as well as corporate and investment laws in various jurisdictions (Czech Republic, Poland, Netherlands, Cyprus, Estonia, Latvia, Lithuania, UK, SVG, and so on).

Hovsep is also a legal scholar at Palacky University Olomouc (Olomouc, Czech Republic), specialising in International and EU law and conducting research in the field of EU data protection law. He is an author and co-author of a number of Scopus-indexed academic papers devoted to contemporary issues and existing challenges to the protection of the right to be forgotten, Internet access and digital integrity of the person in EU law. In the framework of his academic activities and research grant projects, Hovsep conducted his research at the University of Geneva (Switzerland), University of Copenhagen (Denmark), Karl-Franzens-Universitat Graz (Austria), and University of Oslo (Norway).

Mgr. Lusine Vardanyan

CEO of Artlex Consult s.r.o.

E-mail address: lucyrossetti77@gmail.com 

Mgr. Lusine Vardanyan is the CEO of Artlex Consult s.r.o. (Prague, Czech Republic). She is a highly qualified lawyer providing legal services in the field of Web3 industry, AML/CFT-compliance, criminal law, as well as contract and commercial laws in various jurisdictions (Czech Republic, Slovakia, Estonia, UK, BVI, etc.).

Lusine is also a PhD researcher at the Palacky University Olomouc (Olomouc, Czech Republic), specialising in international and EU law, and conducting research in the field of EU digital law. She is an author and co-author of a number of Scopus-indexed academic papers on problematic aspects of protecting digital integrity, informational self-determination and digital dignity of the individual in EU law. As part of her academic work and grant projects, she conducted research at the University of Zurich (Switzerland), Vrije Universiteit Brussel (Belgium), and University of Amsterdam (Netherlands).

---

[1] Kocharyan, H., Vardanyan, L., Hamuľák,O. & Kerikmäe,T. (2021). Critical Views on the Right to Be Forgotten After the Entry Into Force of the GDPR: Is it Able to Effectively Ensure Our Privacy?. International and Comparative Law Review, Vol. 21, No. 2, pp. 96-115. https://doi.org/10.2478/iclr-2021-0015

[2] Allegri, M.R. (2022). The Right to be Forgotten in the Digital Age. In: Comunello, F., Martire, F., Sabetta, L. (eds.) What People Leave Behind. Frontiers in Sociology and Social Research, vol 7. Springer, Cham. https://doi.org/10.1007/978-3-031-11756-5_15

[3] Mantelero, A. (2013). The EU Proposal for a General Data Protection Regulation and the Roots of the ‘Right to Be Forgotten’. Computer Law and Security Review, Vol. 29, No. 3, pp. 229–235.

[4] BVerfG 15 December 1983, 1 BvR 209/83, Volkszählung.

[5] See Bernal, P. A. (2012). The Right to Online Identity. SSRN Electronic Journal [online]. September 2012. [cit. on 25th December 2023]. Accessible at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2143138; See also: Andrade, N. N. G.. Oblivion: The Right to Be Different from Oneself – Reproposing the Right to Be Forgotten. Revista de Internet, Derecho y Política. No. 13, pp. 122-137

[6] Tirosh, N. (2017). ‘Reconsidering the “Right to Be Forgotten’ – Memory Rights and the Right to Memory in the New Media Era. Media, Culture & Society, Vol. 39, No. 5, 2017, pp. 644–660.

[7] De Andrade, N. N. G. (2012). Oblivion: The Right to Be Different from Oneself – Reproposing the Right to Be Forgotten. Revista de Internet, Derecho y Política. No. 13, pp. 122-137.

[8] Richterich, R. (2019). L’intégrité numérique: le vrai combat pour nos données. Available at:  https://www.letemps.ch/cyber/lintegrite-numerique-vrai-combat-nos-donnees

[9] Benn, Stanley I. (1984). “Privacy, freedom, and respect for persons.” In Philosophical dimensions of privacy: an anthology”, pp. 223-244. Edited by Ferdinand D. Schoeman. Cambridge: Cambridge University Press.

[10] See: Pino, G. (2010). l’identità personale. In Rodotà, S., Tallacchini, M. (eds.), Trattato di biodiritto, 2010, vol. I, Ambito e fonti del biodiritto. Milano: Giuffrè, 297-321 p.; See also: Pino, G. (2006). Il diritto all’identità personale ieri e oggi. Informazione, mercato, dati personali. In Panetta, R. (ed). Libera circolazione e protezione dei dati personali, 2006, Milano: Giuffre’, 275-321 p.

[11] The Court of Justice of the European Union: Judgment of the Court (Grand Chamber) of 13 May 2014, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, Case C‑131/12.

[12] ECtHR: Judgment of the Court of 24 September 2007, Tysiąc v Poland. Application No. 5410/03.

[13] Andrade, N. N. G. (2012). Oblivion: The Right to Be Different from Oneself – Reproposing the Right to Be Forgotten. Revista de Internet, Derecho y Política. No. 13, pp. 122-137.

[14] De Gregorio G. (2022). Digital Constitutionalism, Privacy and Data Protection. In: Digital Constitutionalism in Europe: Reframing Rights and Powers in the Algorithmic Society. Cambridge Studies in European Law and Policy. Cambridge University Press; 2022:216-272.