Abstract:
The recognition of the right to privacy has evolved greatly in the digital era where technological advancements have led to an increased scale of processing activities, cross border transfers, easy access to information and the development of the digital economy. Due to these developments, information has become easily accessible and retainable. The “right to erasure or delete” emanated from the ideal that persons should have a right to decide what information is
processed and maintain control over their information.
In 2014, the Court of Justice of the European Union (CJEU) held for the first time that persons have a “right to be forgotten” in its judgement of Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez. Prior to this judgement, the “right to erasure” was recognised where personal information was irrelevant, excessive, outdated or the processing was unlawful. While the South African Protection of Personal Information Act 4 of 2013 (POPIA), does not expressly provide for a “right to be forgotten’”, it does
provide for the “right to delete” with requirements substantially similar to the “right to be forgotten or erasure” under European data protection legislation.
There are fundamental challenges identified in the paper regarding the implementation of this right, including the lack of interpretation from a technical perspective which will ultimately influence how successful it becomes in practice, the impact it has on other existing rights such as the right to freedom of expression, the right to access to information and how this balance will be achieved by entities who are obligated to fulfil these requests.
The paper further provides recommendations for South Africa to navigate the challenges and close the gap that currently exist in the exercise of the right to delete. Recommendations include the definition of a standard by the Information Regulator on what constitute the right to delete, journalistic, literary and artistic purposes as well as public interest. It also recommends more intrusive oversight by the Information Regulator on the entities that must fulfil this requirement.
This is to ensure the correct balance is applied by responsible parties required to balance private and public interests.