The right to digital oblivion actually refers to the concept of dereferencing. This was confirmed by the Court of Justice of the European Union (ECJ) in the Google Spain v Costeja judgment delivered on 13 May 2014. In that judgment, a Spanish applicant found, when searching his name on Google, that the search engine referred to an article in the Spanish daily newspaper « La Vanguardia » by which it was learned that the applicant had been the subject of a seizure for debt recovery.
After unsuccessfully asking the newspaper and the search engine to remove the information, the Spanish petitioner turned to the Spanish data protection agency, which ordered Google to remove the pages and links to the publication. Google Inc. and Google Spain then lodged an appeal with the ECJ. The Commission considered, on the basis of Directive 95/46/EC, that the data being « inadequate », « more relevant » and « excessive » could be found unsuitable for the Directive even if they had been lawfully processed.
The right to dereferencing therefore means that the means to access data will be removed, but not the data themselves.
Moreover, the right to forget has recently been regulated by the General Data Protection Regulation (GDPR) adopted on 27 April 2016, which will enter into force on 25 May 2018. Article 17 of this text, entitled « right to erasure (« right to forget ») », obliges the controller to comply as soon as possible with the data subject’s request for the data collected relating to the erasure of those data.
The article specifies that this applies if: « personal data are no longer necessary for the purposes for which they were collected or otherwise processed, the data subject withdraws the consent on which the processing is based (…), the data subject objects to the processing (…), the personal data have been unlawfully processed, personal data must be erased in order to comply with a legal obligation under Union law or under the law of the Member State to which the controller is subject, the personal data were collected in the context of the provision of information society services (…) ».
Article 17 adds that when the controller falls within one of the conditions mentioned, he has the obligation to take reasonable measures to make the data subject’s request known to the other controllers.
However, the third and last paragraph of this Article emphasises that the rules contained in the first two paragraphs will not apply if it proves that the processing of the data is necessary[i].
Nevertheless, authors Eduard Fosch Villaronga, Peter Kieseberg and Tiffany Li explain in an article that this right to dereferencing is difficult to reconcile with artificial intelligence. To do so, they distinguish between the way in which this right is commonly perceived in the human mind and the reality of its possible application within the framework of artificial intelligence systems. Based on cognitive psychology, they try to demonstrate that human memory is divided into two categories, long-term memory and short-term memory, the limits of which are still extremely vague at the present time. On the contrary, despite the complexity that artificial intelligence systems can achieve, it is possible for computer scientists to understand how the memory of artificial intelligence works in a global way.
This memory usually takes the form of a BTree, a data structure developed to allow rapid retrieval of information in the event of a search.
The only way to achieve the objective of the effective enforcement of a right to forget as we understand it, that means of preventing access to our personal information by others, would therefore be to delete or erase the memory key allowing such access[ii].
One could also consider the possibility of fragmenting the data so as to obtain such small groups of data that it would become very complicated to identify these data[iii].