The Right to Be Forgotten in Romania: Before and After the ECJ Judgment in Google V. González

Şandru, Simona

doi:10.1007/978-3-030-33512-0_9

The Right to Be Forgotten in Romania: Before and After the ECJ Judgment in Google V. González

Simona Şandru¹³

Chapter
First Online: 07 March 2020

837 Accesses

Part of the book series: Ius Comparatum - Global Studies in Comparative Law ((GSCL,volume 40))

Abstract

The right to privacy and the right to personal data protection are two fundamental rights enshrined in the European Union’s treaties and Charter, providing individuals with proper tools of control over their private life. The “right to be forgotten” may be considered one of these tools. After being expressly consecrated by the European Court of Justice in a 2014 ruling which involved a search engine on the Internet, this right seems to have its own path, apart from the existing legal regime of the data subjects’ rights, as judicial and administrative practice shows it (in Romania, as well). As of the 25th of May 2018, a new European Union regulation directly and uniformly applies in all the Member States and specific legal provisions on the right to be forgotten have come into force. Romania is taking part in all these reforms, so the legal transplant of the right to be forgotten was smoothly put in place with all its relevant guarantees, besides the domestic civil legal protection of the personal rights which is under the judiciary’s scrutiny.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 149.00; Price excludes VAT (USA)

Softcover Book: USD 199.99; Price excludes VAT (USA)

Hardcover Book: USD 199.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

1.
“In fact, it is best to think of the Warren and Brandeis tort not as a great American innovation, but as an unsuccessful continental transplant.” Whitman (2004), p. 1204.
2.
“Charte du droit à l’oubli numérique dans la publicité ciblée”; “Charte du droit à l’oubli numérique dans les sites collaboratifs et moteurs de recherche” (Google and Facebook did not sign this charter). See: http://archives.gouvernement.fr/fillon_version2/gouvernement/charte-du-droit-a-l-oubli-numerique-mieux-proteger-les-donnees-personnelles-des-interna.html (Accessed 19 April 2017).
3.
Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317.
4.
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016, pp. 1–88, is equally and mandatory applicable in all Member States of the EU as of the 25th of May 2018.
5.
The “data subject” is the term used for the individual whose personal information is being processed.
6.
Article 17
Right to erasure (‘right to be forgotten’)
1. 1.
  The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
  1. (a)
    the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. (b)
    the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  3. (c)
    the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. (d)
    the personal data have been unlawfully processed;
  5. (e)
    the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. (f)
    the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. 2.
  Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. 3.
  Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
  1. (a)
    for exercising the right of freedom of expression and information;
  2. (b)
    for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. (c)
    for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
  4. (d)
    for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. (e)
    for the establishment, exercise or defence of legal claims.
7.
European Court of Human Rights, Case of Rotaru v Romania (application no. 28341/95), judgment of 29 March 2000.
8.
Law 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, OJ 790/12.12.2001 (for the purpose of this paper, the English version of the Law 677/2001 is the one available on http://www.dataprotection.ro/index.jsp?page=legislatie_primara&lang=en. Accessed 20 April 2017).
9.
Art. 3 of Law 677/2001: “e) data controller: - any natural or legal person, including public authorities, institutions and their legal bodies, that establishes the means and purpose of the personal data processing; if the purpose and means of the personal data processing is set out or based on a legal provision, the data controller shall be the natural or legal person assigned as data controller by that specific legal provision”.
10.
Art. 14: The Right of Intervention upon the Data
1. (1)
  Every data subject has the right to obtain from the data controller, upon request, and free of any charge: a) as the case may be, rectification, updating, blocking or deletion of data whose processing does not comply with the provisions of the present law, notably of incomplete or inaccurate data; b) as the case may be, transforming into anonymous data the data whose processing does not comply with the provisions of the present law; c) notification to a third party to whom the data were disclosed, of any operation performed according to letters a) or b), unless such notification does not prove to be impossible or if it does not involve a disproportionate effort towards the legitimate interest that might thus be violated.
2. (2)
  In order to exert the right stated in paragraph (1), the data subject shall fill in a written, dated and signed petition. The petitioner may state his/her wish to be informed at a specific address, which may also be an electronic mail address, or through a mail service that ensures confidential receipt of the information.
3. (3)
  The data controller has the obligation to communicate the measures taken, based on the provisions of paragraph (1), as well as, as the case may be, the name of a third party to whom the data concerning the data subject were disclosed, within 15 days from the date of the petition’s receiving, whilst complying with the petitioner’s possible option, according to paragraph (2).
11.
Art. 15: The Right to Object
1. (1)
  The data subject has the right to object at any moment, based on justified and legitimate reasons linked to his particular situation, to a processing of data regarding him/her, unless there are contrary specific legal provisions. In case of justified opposition, the processing may no longer concern the respective data.
2. (2)
  The data subject has the right to object at any moment, free of charge and without any justification, to the processing of the data concerning his/her person for overt marketing purposes on behalf of the controller or of a third party, or to be disclosed to a third party for such a purpose.
3. (3)
  In order to exercise the rights stated under paragraphs (1) and (2), the data subject shall fill in and submit to the data controller a written, dated and signed petition. The petitioner may specify if he/she wishes to be informed at a specific address, which may also be an electronic mail address, or through a mail service that ensures confidentiality.
4. (4)
  The data controller has the obligation to inform the data subject of the measures taken, based on the provisions of paragraph (1) or (2), as well as, as the case may be, the name of the third party to whom the data concerning the data subject were disclosed, within 15 days of the date of the petition’s arrival, in compliance with the petitioner’s option, according to paragraph (3).
12.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, pp. 31–50.
13.
As of the 25th of May 2018, the Law 677/2001 was repealed by Law 129/2018 (OJ 503/19.06.2018), that ensures the implementation of GDPR in Romania. The legal framework was completed by Law 190/2018 (OJ 651/26.07.2018), as regards the domestic implementation of a few GDPR provisions which were left in the margin of appreciation of the Member States.
14.
Law 677/2001 had a restricted scope for the processing operations related to criminal law and public order activities and excludes from its application the processing operations related to national defense and national security activities (Art. 2 para. (5) and (7)).
15.
Law 677/2001 restricted the exercise of the rights to information, to access, to intervention and to object if their enforcement could affect the efficiency of the action or the legal objective followed by a public authority engaged in criminal law or public order activities (Art. 16). However, the restriction was limited only to the period necessary to achieve this goal, so afterwards, measures had to be taken in order to comply with the requests of the data subject.
16.
Law 102/2005 regarding the setting up, organisation and functioning of the National Supervisory Authority for Personal Data Processing, OJ 391/9.05.2005.
17.
The management of this authority (President and Vice-President) has to be politically independent, their functions being incompatible with any other public or private functions, except for the academic ones. The Romanian Senate is vested with the power of appointing and revoking the management. The yearly report of the authority is also submitted to the Senate. The authority’s staff is directly employed and the authority has its own budget, stipulated as a distinct part of the State budget. No one can give instructions to the authority or subject it to an imperative mandate or mandate of representation. All these legal stipulations ensure institutional, functional and financial independence of the authority.
18.
Art. 21 para. (3) of the Law 677/2001:

The supervisory authority shall monitor and control with regard to their legitimacy, all personal data processing, subject to this law. In order to achieve this purpose, the supervisory authority exerts the following attributions: a) issues the standard notification forms and its own registers; b) receives and analyses the notifications concerning the processing of personal data and informs the data controller on the results of the preliminary control; c) authorizes personal data processing in the situations set out by law; d) may dispose, if it notices the infringement of the provisions of the present law, temporarily suspending the data processing or ending processing operations, the partial or total deletion of processed data and may notify the criminal prosecution bodies or may file complaints to a court of law; d1) informs the natural or legal persons that work in this field, directly or through their associative bodies on the need to comply with the obligations and to carry out the procedures set out by this law; e) keeps and makes publicly accessible the personal data processing register; f) receives and solves petitions, notices or requests from natural persons and communicates their resolution, or, as the case may be, the measures which have been taken; g) performs investigations –ex officio, or upon requests or notifications; h) is consulted when legislative drafts regarding the individual’s rights and freedoms are being developed, concerning personal data processing; i) may draft proposals on the initiation of legislative drafts or amendments to legislative acts already enforced, in the fields linked to the processing of personal data; j) collaborates with the public authorities and bodies of the public administration, centralizes and analyzes their yearly activity reports on the protection of individuals with regard to the processing of personal data, issues recommendations and assents on any matter linked to the protection of fundamental rights and freedoms regarding the processing of personal data, on request of any natural person, including the public authorities and bodies of public administration; these recommendations and assents must mention the reasons on which they are based and a copy must be transmitted to the Ministry of Justice; when the recommendation or assent is requested by the law, it must be published in the Official Journal of Romania, Part I; k) co-operates with similar foreign authorities in order to ensure common assistance, as well as with foreign residents for the purpose of guaranteeing the fundamental rights and freedoms that may be affected through personal data processing; l) fulfills other attributions set out by law; m) the manner in which the National Supervisory Authority for Personal Data Processing is organized and functions is set out by law.
19.
“On those grounds, the Court (Grand Chamber) hereby rules:
(…)
3. Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.
4. Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.”
20.
As regards the way the European data protection authorities, assembled in the Working Party Article 29, interpret and apply the ECJ ruling, see “Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12” (14/EN WP 225, adopted on 26.11.2014, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf. Accessed 20 April 2017).
21.
The new Romanian Civil Code entered into force on the 1st October 2011. Before that date the Decree 31/1954 on natural and legal persons contained some provisions concerning the personality rights, such as the right to a name or the right to reputation. See more in Șandru (2016), pp. 303–309.
22.
As regards this right, the Civil Code invokes the special law on data protection, as the governing law.
23.
For instance, the judge admitted that the recording without consent of an incident between two neighbours, in the private yard of one of them is a privacy infringement, and awarded to the plaintiff compensation for the moral damages—civil judgment 601/2017 of City Court of Aiud, available at rolii.ro. Accessed 3 November 2017. Other cases are cited below (see footnotes 33 and 34).
24.
For an elaboration, see Muraru and Tănăsescu (2008), p. 173.
25.
For violating any rights (including the rights to intervention and to object) a fine might be applied, between 1000 lei and 25,000 lei (1 Euro is around 4.50 lei, and 1 USD is around 4.10 lei), according to Art. 32 of the Law 677/2001. The GDPR raised the maximum amount of a fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, in case of infringement of the provisions on the data subjects’ rights (Art. 83 para. 5).
26.
For instance, according to the 2013 report, the Romanian DPA found that a public institution disregarded the applicable legal provisions, disclosing personal data on the Internet consisting of national identity number and home address or the address of the properties listed in the declarations of assets and interests of some people who have held public office. After the investigation, the data were made anonymous. Other cases involved the omission to delete personal details associated with an account available on a selection of workforce related website (in 2007), the continuous disclosure on the Internet of the national identity number associated with fiscal data (in 2008 and 2011), the excessive publication of personal data on the official websites of the courts of law and of a prosecutor’s office, in 2012 (a few yearly reports are available in English at the http://www.dataprotection.ro/index.jsp?page=Annual%20reports&lang=en. Accessed 1 May 2017).
27.
For instance, there was a case involving the refusal of a company to delete personal data associated with judicial information republished from the official website and indexed on the Internet, where the court of law upheld the position of the Romanian DPA (the 2014 DPA’s report of activity, pp. 44–48, available in Romanian at http://www.dataprotection.ro/index.jsp?page=Rapoarte%20anuale&lang=ro. Accessed 1 May 2017).
28.
See p. 74 of the 2015 DPA report of activity. The cited cases concern the disclosure of personal data on the Internet, associated with judicial cases, republished by private websites or images and defamatory information indexed from private blogs.
29.
“Art. 18: The Right to Refer to a Court of Law
(1) Without prejudice to the possibility of addressing the supervisory authority, the data subject has the right to address to a court of law in defense of any rights, guaranteed by the present law, that have been infringed. (2) Any person that has suffered a prejudice as a consequence of unlawful processing of personal data may address a competent court of law in order to obtain compensation for the prejudice suffered. (3) The competent court of law is the one whose territorial jurisdiction covers the complainant’s domicile. The complaint addressed to the court of law is exempt from stamp tax.”
30.
At the time of the ruling, the plaintiff’s personal data were no longer available on the Internet.
31.
For other comments on this judgment, see Zanfir (2012).
32.
For the purpose of this paper, in 2017 a few questions were addressed to all the appeal courts of Romania (except for the military one) and to the High Court of Cassation and Justice. The answers received show that the vast majority of the courts have no records of judgments regarding the deletion of personal information from the Internet or delisting of personal data by the search engines on the Internet, neither based on Law 677/2001, nor on other legal grounds. In two cases, the courts also indicated they received ordinary requests for deleting information from their public sites, related to the judicial files where the petitioners were involved. Besides this “public access exercise”, we have also consulted the publicly available sources of judicial information, such as: portal.just.ro, www.scj.ro, www.rolii.ro, www.jurisprudenta.org. Judicial information published on the official sites of the Romanian courts is not indexed on the Internet.
33.
Civil judgment no. 192/2015 of the Cluj County Court (according to the answers received during the public access exercise). The case was against a physician and the company owning the website where images of the plaintiff were disclosed for advertising purposes, over the administered medical treatment (“before” and “after” a facial plastic surgery), without the plaintiff’s consent. The court found that a breach of the plaintiff’s rights to image and privacy occurred and ordered the deletion of those images from the Internet, publication of the judgment on the said website and compensation for moral damages.
34.
Civil judgment no. 97/2017 of the Vișeu de Sus City Court (according to the answers received during the public access exercise). The case was against a number of individuals who published on Facebook photos of the plaintiff and several negative comments with a defamatory character, related to her personal profile, sexual habits, etc. The court found that a breach of the plaintiff’s right to image occurred and ordered the defendants to delete those images and comments from Facebook, to refrain from having again this kind of conduct and to pay compensation for moral damages.
35.
Civil judgment no. 14/CA/2015 of the Constanța Court of Appeal (according to the answers received during the public access exercise). The case was against this court and the Ministry of Justice.
36.
According to the information on portal.just.ro (Accessed 3 November 2017). In the latter case, Google refused to delete the link associated with a blog where defamatory information was published in relation to the personal activity of the individual who complained to the Romanian Data Protection Authority. The Google action was rejected as inadmissible by the Bucharest Court of Appeal (extract from this decision—civil judgment no. 3283/2017—is available on the www.rolii.ro).
37.
According to a press release on 22.04.2016 available at http://www.dataprotection.ro/?page=drept_de_interventie_fata_de_google&lang=ro (Accessed 12 May 2017).
38.
The court upheld that by publishing on the Internet, the personal data become accessible to an indefinite number of persons, so the data subject has no knowledge about the entities downloading the personal information and the way they are subsequently used; the potential impact of the means of communication is highly significant, thus publishing news online has a faster and stronger effect than in printed press, as regards the dissemination and further use of the information by various entities. As a result, the court stated that the data subject’s interest to obtain deletion of personal data revealed on the Internet prevails over the economic interest of the controller, as the ECJ also ruled in the case C-131/12.
39.
For an elaboration, see Șandru (2016), p. 217; Zanfir (2015), pp. 145–165.
40.
More comments in Șandru (2016), p. 179 et passim.
41.
For an elaboration on this subject, see Opre and Șandru (2015), pp. 270–280.
42.
“We appreciate that this cannot be considered a sufficient mean to satisfactorily guarantee the rights of data subjects according to the ruling and in order for the de-listing to be effective, it should apply on all relevant domains, including.com.”—p. 70.
43.
Available at https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf&visit_id=0-636309063139388868-4096106632&hl=ro&rd=1 (in Romanian). Accessed 20 May 2017.
44.
Google offers examples such as: financial scams, malpraxis, criminal conviction, public behaviour as an official public figure.
45.
Otherwise, Google recommends in this web form and in their standard answers to contact the local data protection agency, in case a petitioner is not satisfied with their solution.
46.
The report is available at https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en. Accessed 20 May 2017.
47.
According to the Romanian DPA reports (available at http://www.dataprotection.ro/?page=Rapoarte%20anuale&lang=ro).
48.
For instance, Google provides an example where it refused to remove recent articles about a high ranking public official, referring to a decades-old criminal conviction (request from a Hungarian individual).
49.
More information about the modernisation process of the Convention no. 108/1981 for the Protection of Individuals with Regard to the Processing of Personal Data (started in 2011) is available at https://www.coe.int/en/web/data-protection/convention108/modernised (Accessed 30 October 2018). Article 27 of the new Convention regulates on accession by non-member States and international organisations to the Convention.

References

Costescu ND (2016) Google Spain decision – an analysis of the right to be forgotten - a regression from past interpretations of ECJ. Analele Universității din București 1:64–71
Google Scholar
Jugastru C (2017) Tradiţie şi inovaţie în materia protecţiei datelor cu caracter personal (Tradition and innovation in data protection field). Universul Juridic 2:74–84
Google Scholar
Muraru I, Tănăsescu ES (2008) In: Muraru I, Tănăsescu ES (eds) Constituţia României. Comentariu pe articole (Romanian Constitution. Comments by articles). C.H. Beck, Bucharest, pp 169–175
Google Scholar
Opre AG, Șandru S (2015) Dreptul de a fi uitat pe Internet, mijloc de combatere a discriminării (The right to be forgotten on the Internet, a tool for combating discrimination). In: Tomescu M (ed) Exercitarea dreptului la nediscriminare și egalitate de șanse în societatea contemporană; Lucrările celei de a IX-a Conferințe a nediscriminării și egalității de șanse – NEDES 2015 (The right to non-discrimination and equal opportunities in contemporary society; the 9th NEDES Conference 2015). ProUniversitaria, Bucharest, pp 270–280
Google Scholar
Șandru S (2016) Protecția datelor personale și viața privată (Protection of personal data and private life). Hamangiu, Bucharest
Google Scholar
Şchiopu S-D (2017) Dreptul la ştergerea datelor şi dreptul la aducerea ultimului omagiu: a fi uitat sau a fi ţinut minte? (The right to delete data and the right to pay a last tribute: to be forgotten or to be remembered?). Universul Juridic 2:85–93
Google Scholar
Warren SD, Brandeis LD (1890) The right to privacy. Harv Law Rev 4:193–220
Article Google Scholar
Whitman JQ (2004) The two western cultures of privacy: dignity versus liberty. Yale Law J 113
Google Scholar
Zanfir G (2012) Protecția datelor cu caracter personal. Categorii speciale de date. Despăgubiri morale (Jud. sect. 1 București, sentința din 16 martie 2009, irevocabilă) (Protection of personal data. Special categories of data. Moral damages. Court of District 1, Bucharest, judgment of 16 March 2009, final). Pandectele Române 2:143–155
Google Scholar
Zanfir G (2015) Protecția datelor personale. Drepturile persoanei vizate (Protection of personal data. The rights of data subjects). C.H. Beck, Bucharest
Google Scholar

Download references

Author information

Authors and Affiliations

Law School, University of Bucharest, Bucharest, Romania
Simona Şandru

Authors

Simona Şandru
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Georgetown University Law Center, Washington, DC, USA
Franz Werro

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Şandru, S. (2020). The Right to Be Forgotten in Romania: Before and After the ECJ Judgment in Google V. González. In: Werro, F. (eds) The Right To Be Forgotten. Ius Comparatum - Global Studies in Comparative Law, vol 40. Springer, Cham. https://doi.org/10.1007/978-3-030-33512-0_9

Download citation

DOI: https://doi.org/10.1007/978-3-030-33512-0_9
Published: 07 March 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-33511-3
Online ISBN: 978-3-030-33512-0
eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics