Paper | "Yesterday is Gone, Forget It: The Right to Be Forgotten in China's Cyberspace Governance System"

iNetworkSociety

- Institute of Network Society - The Institute of Network Society - Institute of Intermedia Art, China Academy of Art For more information, please visit http://caa-ins.org

"Yesterday is Gone, Forget It: The Right to Be Forgotten in China's Cyberspace Governance System" was reported in the 4th Annual Conference of Internet Society "Netizen 21: Beyond Personal Accounts" Young Scholars Forum "Panel 2: Social Media Political Economy" criticism". This article was first published in the February 2020 issue of "New Art", a journal of the China Academy of Art.

(This article has a total of 10988 words, and it takes about 25 minutes to read)

About the Author:

Gu Zihui

The University of Illinois at Urbana-Champaign has a master's degree in environmental science, a doctorate in law, and a doctorate in information science (undergraduate). The thesis is mainly in technology law and entrepreneurship law. He is currently the head of compliance at Dimension, an information technology start-up company, and a consultant at Shang Cheng Law Firm in Taiwan. 996 open source protocol drafter.

Yan Han

The founder/CEO of Dimension, dropped out of the computer engineering department of UIUC (University of Illinois at Urbana-Champaign) to start a business. Former independent journalist, former self-driving company engineer; mainly focuses on open source, as well as encryption, digital labor, and privacy protection.

Group portrait of speakers of the 4th Annual Conference of Internet Society "Netizen 21: Beyond Personal Accounts" Panel 2 "Criticism of Social Media Political Economy"

Summary

The "Right to Be Forgotten" (or "Right to Erasure") as defined by the European Union General Data Protection Regulation ("GDPR") is a legal concept that grants individuals the right to When users withdraw their consent to processing – the right to delete their personal data from the Internet (European Union, 2016). Since the concept was first proposed and confirmed in 2014 in the high-profile Google Spain v. González case (2014), it has been considered and discussed in courts around the world , including lower and high courts in Germany, Argentina, the United States, Brazil and South Korea. This article will start from the jurisprudence and legislation of various countries on the "right to be forgotten", conduct an in-depth analysis of the facts and court judgments of the "China's first 'right to be forgotten' case" Ren Jiayu v. Baidu case, and finally discuss the introduction of "right to be forgotten" in China. the challenge of the right to be forgotten”.

Keywords: right to be forgotten; right to be deleted; China

The “Right to Be Forgotten” (or “Right to Erasure”) as defined by the EU General Data Protection Regulation (“GDPR”) is a legal concept that grants individuals the right to When users withdraw their consent to processing – the right to delete their personal data from the Internet (European Union, 2016). The essence of the legal status of recognizing the right to be forgotten is to allow individuals to manage their digital identities in an autonomous way - and as the Internet becomes more and more pervasive in life, the boundaries between digital identities and people's real-life identities become increasingly blurred. In this context, giving individuals the right to be forgotten allows people to not be stigmatized or labeled for their past actions that exist in the Internet in the form of digital footprints (Mantelero, 2013). Since the concept was first proposed and confirmed in 2014 in the high-profile Google Spain v. González case (2014), it has been considered and discussed in courts around the world , including lower and high courts in Germany, Argentina, the United States, Brazil and South Korea. Although the judgments and reasons of the courts of various countries may be varied and not completely consistent, there is no doubt that the right to be forgotten and the potential implications of the right to privacy are receiving great attention from countries around the world and are gradually being recognized as a fundamental human right. Supporters hailed the introduction of the "right to be forgotten" as a step in the right direction, arguing that acknowledging the "right to be forgotten" could stop big tech companies from using personal data indefinitely for commercial purposes and government invasions of personal privacy, Thereby promoting and complementing digital governance and democracy that are lacking in today’s cyberspace. However, the idea has also sparked widespread criticism. Some worry that this right will be difficult to reconcile with the freedom of speech and expression established by some form of legislation in most Western countries . Worse, the "right to be forgotten" can be exploited by ulterior motives to reasonably delete public information, thereby opening the door to content censorship .

The case of Ren Jiayu v. Baidu heard by the People's Court of Haidian District, Beijing, China in 2016 raised the issue of the applicability of the "right to be forgotten" in the Chinese context for the first time. This case is also commonly referred to as "China's 'right to be forgotten' first case". In this case, the plaintiff claimed that search engine provider Baidu had violated its right to be forgotten under the rights of name, reputation and general personality, and requested Baidu to remove links related to its former company from search results. The court rejected the plaintiff's first two claims for the right to name and reputation, and discussed whether a new right to be forgotten could be established within the framework of general personality rights under Chinese law. The court noted that the plaintiff's interest orientation cannot be classified into the existing type of protection of personality rights, and therefore believes that in order for the legal interest to be recognized by the court, it must (1) be justified and (2) be subject to The need for legal protection. Although the court of second instance ultimately dismissed Ren Jiayu’s lawsuit against Baidu, this undoubtedly set a persuasive precedent for supporting the position that the “right to be forgotten” falls within the scope of personality rights in China’s tort liability law.

However, the question of how to correctly interpret the judgment standards of Chinese courts and what are the obstacles to the recognition and exercise of this right in China remains to be answered. This article will start from the jurisprudence and legislation of various countries on the "right to be forgotten", conduct an in-depth analysis of the facts and court judgments of the Ren Jiayu v. Baidu case, and finally discuss the challenges of introducing the "right to be forgotten" in China.

The author of this article, Gu Zihui, at the 4th Annual Conference of Internet Society "Netizen 21: Beyond Personal Accounts"

background

The origin of the right to be forgotten and the General Data Protection Regulation

The concept of the right to be forgotten can be traced back to many existing legislations and judgments in Western countries, and is mainly embodied in the protection of personal rights of ex-convicts. Countries across Europe have enacted laws to prevent the stigma and generalization of "bad guys" from excluding ex-prisoners from the workforce . For example, the 1974 Rehabilitation of Offenders Act of the British Parliament allows persons who have been convicted of a criminal offence but have not re-offended for a certain period of rehabilitation to "sealed" these criminal histories, and therefore, before applying for a job or taking out insurance When the time comes, these released prisoners are not required to disclose their criminal history. The legislation aims to prevent a "living it down" problem, where ex-offenders are prevented from reintegrating into society due to their documented past crimes, such as access to decent jobs, suitable housing and public benefits, etc. Sadly, what was only a lawbreaker a few decades ago has now become a common problem for people living in the digital age: it's almost impossible to get rid of your past because everything is stored somewhere on the server. may surface at any time.

As early as the 1980s, European countries recognized the need for a more general form of protection against infringements that could accompany increasing reliance on data and a dramatic increase in data transactions . As an extension of Article 8 of the European Convention on Human Rights on data privacy, a committee of governmental experts within the European Commission, under the mandate of the European Committee on Legal Co-operation (CDCJ), drafted the The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted in Strasbourg, France, on 28 January 1981 by the member states of the European Union and Signed by non-member states. As the first and only binding international legal instrument on the protection of data privacy, the Convention briefly mentions in Article 8 that, if the processing of personal data by data processors is contrary to domestic law, it shall be “as the case may be” ” to correct or delete that personal data and obtain legal remedies if the request for such correction or deletion is not complied with. Since the convention was passed long before the world entered the internet age or even before the advent of the personal computer, it is reasonable to assume that the lawmakers of the time did not foresee the massive data breach problems brought about by the proliferation of social networks and search engines today, so the The context in which the Convention applies is not the same as the General Data Protection Regulation. In 1995, the EU introduced another important piece of legislation, the predecessor of the General Data Protection Regulation, the Data Protection Directive, which further detailed how personal data is collected and processed in the EU, while " The concept of "Right to Be Forgotten/Erasure" runs through the entire text of the Directive. About a decade after the Directive, the EU ratified Article 8 of the EU Charter of Fundamental Human Rights, "The right to protection of personal data", furthering its commitment to data privacy, and in 2009 with the Lisbon Treaty ” signed into effect.

Until 2010, with the adoption by the French government of the Code of Good Practice on Targeted Advertising and the Protection of Internet Users (Charte sur la publicité ciblée et la protection des internautes) and the Code on the Right to Be Forgotten on Social Networks and Search Engines The Code of Good Practice (Charte du Droit à l'oubli dans les sites collaboratifs et lesmoteurs de recherche) two initiatives, the idea of the "right to forget" (le droit à l'oubli) on the Internet, the The embryonic form of right was formally proposed. Although these codes are not legally binding, they require Internet practitioners, including advertisers, digital marketing agencies, social networks, content service providers and search engine operators, to respect individuals' privacy rights on the Internet and to agree to Data processing/right to object to the use of their data . Following France, the European Commission has also announced that it will introduce a comprehensive legal framework later in 2010 to regulate the collection and processing of personal data within the EU. In the announcement and the white paper accompanying the announcement, the committee made it clear that it would study how to interpret the so-called “right to be forgotten,” which is “ an individual whose data is no longer processed and deleted when it is no longer used for a legitimate purpose. rights ”. The public debate on the right to be forgotten has expanded as the Commission took its first steps forward and a series of important privacy rights cases were brought to court. These efforts culminated in the decision of the Supreme Court of the European Union (“CIEU”) in the Gonzalez case in 2014, and the passage of the General Data Protection Regulation in 2016, making Europe the first to clarify at the judicial and legislative level The area that defines the data subject's right to be forgotten and to erasure. Article 17 of the General Data Protection Regulation, entitled "Right to erasure ('right to be forgotten')", specifies the conditions and scope of the implementation of this right.

Article 17 of the General Data Protection Regulation first defines the subject of rights and obligations of the "right to be forgotten". The subject of rights is a data subject (i.e. a natural person in possession of identified or identifiable personal data) who has the right to require data controllers , natural persons, legal persons and other entities that determine the purposes and means of processing personal data to delete personal data immediately in exceptional circumstances . In addition to the duty to delete the relevant personal data immediately at the request of the data subject, the data controller is also legally obliged to take reasonable steps to notify other data controllers who are processing the relevant data.

Article 17 of the GDPR also outlines the application of the right to be forgotten, namely: (a) “personal data is no longer necessary for the purpose for which it was collected or processed”; (b) “the data subject withdraws consent in such processing”, “and there is no other legal basis for the processing of this data”; (c) the data subject exercises the right to object and there are “no overriding legitimate grounds” for the data controller to proceed with the processing, or the data subject objects processing data for the purpose of direct marketing; (d) "unlawful processing of personal data"; (e) erasure of personal data by the data controller in accordance with mandatory obligations under EU or Member State law; (f) data The purpose of the processing is to provide "information society services" (eg online shopping, live streaming, etc.) to children under 16 years of age.

However, neither the text of the General Data Protection Regulation nor the judgment of the European Supreme Court is far from clear about the rights it establishes, and there are still some issues to be resolved. For example, neither the judgment nor the regulations provide exhaustive guidance on how to reconcile an individual's right to erasure and the public's right to access information . In this regard, a set of guidelines developed by the European Commission's Article 29 Data Protection Working Group in the 1995 Data Protection Directive may be instructive. For example, it sets out some common factors that European data protection authorities should take into account when processing a data subject's request to delete certain online information, such as whether the search results relate to a natural person, whether the data subject is a public figure, whether the data subject is a minor people, whether the data is relevant and not excessive, whether the data is up-to-date, whether the data publisher has the legal authority or legal obligation to disclose personal data, etc. Interpretations by official authorities can help with the application of the right to forget, leading to more enforcement actions and court decisions.

Google Spain v. Gonzalez: The Right to Be Forgotten First Case

It is at the time when the public's ideology of the Internet is changing that the concept of the "right to be forgotten" has also begun to break away from academic discussions and officially enter the public eye. The first recognition of the "right to be forgotten" occurred between Google Spain and Spanish citizen Mario Costja Gonzalez, a case that still serves as a precedent on the issue . In 1998, a comprehensive daily newspaper in Spain, La Vanguardia, published on its website details of Gonzalez's government auction of real estate due to inability to pay his social security debts. The pages were later indexed by Google's web crawler and displayed in its search results. So anyone who typed Gonzalez's name into Google could access a link to the Herald's announcement. In order to remove these pages and links, Gonzalez filed a complaint with the Spanish Data Protection Authority (AEPD) against El Herald, Google and Google Spain, claiming that the seizure and freezing procedures against him were "long past" and "now The information is no longer relevant." The Spanish data protection agency decided on 30 July 2010 to reject Gonzalez's complaint against the newspaper, on the grounds that the publication of the Herald was made on the basis of an executive order of the Ministry of Labour and Social Security and therefore fully legal . However, Spain's data protection agency has backed Gonzalez's complaints against Google and Google Spain, asking Google to take the necessary steps to remove relevant links from search results and ensure that such data is no longer available in the future.

To overturn the decision, Google and Google Spain appealed to the Spanish National High Court. The Spanish High Court ruled that if a person's personal data has been published on a third-party website and the data subject does not want others to access the data, the legal obligation of search engine operators should depend on the understanding and application of the Data Protection Directive. As a result, the Spanish court stayed the proceedings and referred the case to the EU Supreme Court for its preliminary ruling on several issues, including the substantive scope of application of the Directive, the territorial scope of application and the right of data subjects to delete such information under the Directive.

On May 13, 2014, the Supreme Court of the European Union ruled that Google's operations in Spain were sufficient for it to comply with the Data Protection Directive. Moreover, search engines, as "data controllers", have a statutory obligation to delete certain personal information that is insufficient, irrelevant or no longer relevant , or information that exceeds the purpose of data processing, or has expired over time, even if such information It was originally published in a legal manner, and it was genuine and harmless. The court noted that the Directive required the court to weigh the following points: the data subject's "fundamental rights under Articles 7 and 8 of the Charter", "the economic interests of search engine operators", and " the general public’s interest in accessing this information”. The results may vary from case to case and may depend on "the nature of the information involved and its sensitivity to the private life of the data subject", as well as the role the data subject plays in public life. Following the court's ruling, a large number of individuals and entities applied to remove URLs from Google's search results for privacy reasons. According to the Google Transparency Report, to date, the company has received about 862,358 requests from users around the world to remove 3,415,801 URLs, the vast majority (88.4%) of which are private users.

More recently, the Gonzalez case has made headlines again thanks to the decision of the EU Supreme Court on September 25, 2019. The case stems from a dispute between Google and France's data privacy watchdog, the National Commission for Information and Freedom (CNIL), which fined Google €100,000 (£88,376) for failing to remove search results from outside the EU. Removed from Google domains in the rest of the world outside the member states. The Court of Justice of the European Union upheld Google's claim, holding that "under EU law, even if a search engine operator agrees to a data subject's data deletion request...the operator is not obliged to delete all versions of its search engine." Although this The results may disappoint privacy advocates and internet anarchists, but in a sense, the decision is significant because it partly demonstrates the Court's geographic expansion of the concept of the right to forget. Willingness to apply.

The author of this article, Yan Han, at the 4th Annual Conference of Internet Society "Netizen 21: Beyond Personal Accounts"

The first case of the right to be forgotten in China: Ren Jiayu v. Beijing Baidu Netcom Technology Co., Ltd.

Case background

The plaintiff, Ren Jiayu, is a practitioner in the field of administrative education. From July 1, 2014, he began to work as a lecturer in Wuxi Dow Education Company. This company is controversial and has a dubious reputation. ”, the employment relationship was terminated on November 26, 2014. On March 12, 2015, Beijing Daoyaxuan Trading Co., Ltd. negotiated with Ren Jiayu to voluntarily and formally terminate the labor agreement, because the company found on Baidu that Ren Jiayu was related to Dow Education. Specifically, when a user enters the search term "Ren Jiayu" in the Baidu search bar, the keywords "Toshi Education Ren Jiayu", "Wuxi Taoshi Education Ren Jiayu", "Tao Shi Ren Jiayu", etc. will all appear in the "Keyword Related Searches" " on the list of suggestions. In order to protect his rights and interests, Ren Jiayu spent time, money and energy looking for a lawyer to protect his rights and interests, went to Wuxi, Beijing and other places to protect his rights and interests at his own expense, and contacted Baidu to delete the search results, but his efforts were not effective. Therefore, Ren Jiayu filed a lawsuit with the Beijing Haidian District Court in 2015, asking Baidu to immediately stop all acts that violated its right to name, reputation and "right to be forgotten". In particular, Ren Jiayu wants Baidu to remove his name from six related search suggestions that he believes have damaged his reputation and cost him his job .

court of first instance

The Haidian District People's Court pointed out that the core of the legal dispute in this case lies in the legal evaluation of the legitimacy of the "related search" technical model and the corresponding service model , which specifically involves fundamental issues at the two levels of fact and law: one is the factual issue, namely Was the search term involving Ren Jiayu displayed by Baidu's "Related Search" service subject to the company's human interference? The second is a legal issue, that is, whether the search services provided by Baidu's "related search" technical model and the corresponding service model constitute an infringement of Ren Jiayu's right to name, reputation and the so-called "right to be forgotten" in the general personality right claimed by Ren Jiayu. ?

Was the search term involving Ren Jiayu displayed by Baidu's "Related Search" service subject to the company's human interference?

The Haidian District People's Court held that in the absence of any other evidence to the contrary by Ren Jiayu, it can be assumed that the six disputed keywords were collected from the statistics of terms that were frequently used in the past and related to the current search term. The engine is automatically generated without human intervention from Baidu. The court added that Ren Jiayu's testimony, the notarial certificate provided by the parties, and the court's on-site investigation all showed that when a person entered the keyword "Ren Jiayu" into the Baidu search bar, different rankings and rankings were displayed in the "related searches". The entry of the content, and the six search terms advocated by Ren Jiayu also show a dynamic and irregular display state from time to time. This is consistent with the general state of the "related search" function of the search engine , and does not present an abnormal situation of human intervention, providing clear and convincing evidence that the "related search" function is not subject to human intervention by Baidu.

Did the "related search" technical model and corresponding service model provided by Baidu violate Ren Jiayu's "right to be forgotten"?

The court of first instance held that what Ren Jiayu wanted to delete (or "remove the index") was information related to his previous employment at "Tow Education" in Baidu's "keyword-related searches", and Ren Jiayu believed that such information was harmful to his reputation in the industry There are negative effects that prevent him from finding a decent job. Since personal interests related to information do not belong to the scope of rights stipulated by Chinese law, whether the Chinese civil law can protect them depends on whether the interests are legitimate and whether it is necessary to be protected by law. In this case, the court has in fact established three preconditions for whether legitimate legal interests that are not categorised in Chinese law but should be protected by law are protected as part of personality rights:

(1) The interest orientation cannot be classified into the existing category of protection of personality rights;

(2) The interest is legitimate;

(3) The interest is necessary to be protected by law;

However, after careful consideration of the facts of the case, the court rejected Ren Jiayu's request to remove the keywords from the search results. The first question the court considers is whether a person's reputation can be negatively affected by an association with a company . Since the evaluation of corporate goodwill by different individuals is often a subjective judgment, and the objective goodwill of an enterprise will also change dynamically with the quality of its business operations, it is not appropriate to abstractly evaluate the goodwill and the generation of goodwill. Therefore, it is not appropriate for the court to evaluate Ren Jiayu's experience and its causal relationship with Dow's educational experience. In addition, Ren is still working in the same industry, and personal qualification information including his work experience is an important information basis for customers to judge. The retention of this information will help the public, including Ren Jiayu's so-called potential customers, know about Ren Jiayu's relevant situation an objective necessity. When Ren Jiayu cooperated with Dow-related companies in education business, he was not a minor, a person with limited capacity, or a person without capacity, and there was no legal basis for special protection for special groups in law. Therefore, the interests of the "right to be forgotten" advocated by Ren Jiayu in this case are not justifiable and necessary to be protected by law, and should not be a legitimate legal interest for infringement protection.

court of second instance

The analysis and reasons of the Beijing No. 1 Intermediate People's Court are basically the same as those of the Haidian District People's Court. For example, both courts held that the issue at issue was whether Baidu's keyword "related search" service violated the general personality rights claimed by Ren Jiayu, including the right to name, the right to reputation, and the "right to be forgotten" . The Beijing No. 1 Intermediate People's Court first pointed out that the "right to be forgotten" is a concept formally established by the European Court of Justice in the Gonzalez case. There is no legal provision for the "right to be forgotten" in the law, nor is there any type of "right to be forgotten". The court went on to point out, "Although the parties claim that their right to be forgotten should be a kind of personal interest based on the general personality right, if the personal interest is to be protected, Ren Jiayu must prove his legitimacy in this case and the necessity of protection, but Ren Jiayu cannot prove the above-mentioned legitimacy and necessity." Since Ren Jiayu could not meet the requirements of all three mentioned above, the Beijing No. 1 Intermediate People's Court rejected Ren Jiayu's lawsuit against Baidu.

"Yesterday is gone, forget it: the right to be forgotten in China's cyberspace governance system" report site

The applicability of the right to be forgotten in the Chinese context

As China's first "right to be forgotten" case, this case is similar to the Gonzalez case in that both cases involved individuals filing lawsuits in court over the protection of their personal information, asking search engines to provide The two courts have each interpreted an important concept in privacy law—the right to be forgotten. Although Chinese courts do not support the plaintiff's claim to protect the so-called "right to be forgotten", it is still an important milestone in the history of Internet privacy protection in China in the era of big data, and by establishing "the protection of personality rights that cannot be classified as existing types" The three aspects of the test of "category", "legitimacy of interest" and "necessity of protection" pave the way for the recognition of "right to be forgotten" as part of "general personality right" in the future. However, although this case provides a meaningful reference for the judicial protection of personal privacy-related interests and has been extensively discussed, the prospect of China's formal introduction or establishment of a "right to be forgotten" system through legislation or judicial decisions is not very promising. optimistic . The reasons for this can be summarized as follows.

Ambiguity between the General Data Protection Regulation and the EU Court of Justice decision

European legislation and court judgments are not easy to apply in China, because these legislation and judgments themselves are not clear, sufficient and comprehensive . As described by Ms Usha Prashar, Chair of the Judicial Appointments Committee in the House of Lords, "It is clear that neither the 1995 Directive nor the EU Court of Justice's interpretation of the Directive reflect the order we see today. Incredible technological progress, after all the Directive has been drafted for more than 20 years." Many criticized the Court of Justice of the European Union's decision in the Gonzalez case for being extremely vague on what data subjects have the right to delete and the criteria for deletion. For example, even though a court ordered Google to remove two links to Gonzalez's housing foreclosure lawsuit, all Google did and could do was de-index web pages, that is, associate web pages with search terms, The plaintiff's name or keywords containing the plaintiff's name are separated. So, the original information actually remains on the Internet, and people can still access the original web page by other means, such as entering different search terms, or typing the original address into the address bar, etc. If one really wants to permanently delete some information from the Internet, the most effective way is to delete or block the source of the information, namely the original announcement published by the Herald on its website. However, since the court held that the Herald, as a publisher, was exempt from the obligation to remove the original content, this raised the question of where the right to be forgotten applies only to search engines and not to online publishers , whether the right can be effectively enforced . To make matters worse, even though the Article 29 Working Group has provided guidance in its recommendations on which information needs to be deleted, the EU Court of Justice appears to be leaving the decision on whether to delete information to search engine operators such as Google and others who receive it. Entities making such requests make decisions on a case-by-case basis. As would-be "legislators" and enforcers of industry rules, these tech giants can easily change the standard to their advantage.

Furthermore, the ambiguity was not corrected in the newly adopted General Data Protection Regulation . According to a white paper published by Deloitte in January 2019 examining the implementation of the General Data Protection Regulation among marketers and media companies, all respondents agreed that: “Due to the unclear text of the regulation, reference cases or There is a lack of precedent, and there is still a lot of uncertainty about the GDPR.” This perceived ambiguity also prevents practitioners from taking effective measures to enforce the requirements of the GDPR and judging the strength of regulation. Therefore, copying the European model will not do China's fledgling data privacy protection system any good. Instead, it will only lead to confusion and abuse , as the validity of the European model has not been tested much, and more case law and guidance documents are needed to fill the gaps left by lawmakers in existing laws.

Technical difficulties in enforcing the right to be forgotten

The protection of data privacy requires not only legal support, but also technological progress . In order to realize the right to be forgotten, there must be technological solutions or tools that help data subjects clean up their digital footprints and online identities, or help data controllers and data processors manage the data collected and processed, detect sensitive data, and request to delete or destroy data. Although this process sounds simple and seems easy to implement, in today's digital world where even the information of the deceased who never used the Internet can show up in Google search results, it's a near-impossible task . Thankfully, as public awareness of data protection and privacy has grown, so have data deletion service providers . Companies like DeleteMe, PrivacyDuck, and OneRep, among others, help individuals monitor and delete personal data from major data collection sites such as Itelius, Spokeo, TruthFinder, and Whitepaper, and these services charge anywhere from $100 a year to $1,000 a year not wait. In addition, search engine providers such as DuckDuckGo that choose to actively change -- that is, do not collect users' searches or visits -- are also popular with privacy-conscious users. However, most existing service providers only target individual users, and few companies offer GDPR-compliant data management solutions to business users, in part because of the ambiguity of the regulation.

A powerful weapon that can greatly improve privacy is encryption . Encryption is the process of converting a piece of information into garbled characters that cannot be decoded with a mismatched key. When it comes to the right to erasure or the right to be forgotten, encrypting data is probably the most convenient and efficient way for users because encryption solves the problem of active backups. For example, if a person deletes an image he posted on Facebook, he may later see the image on a third-party website because Facebook can keep a copy of the deleted image on its servers ( whether intentional or not), and Facebook may also share these images with third parties. But if the user encrypts the image and keeps the key locally, it doesn't matter whether Facebook keeps a copy, because without the key, Facebook can't decipher the data at all. Essentially, encryption gives users complete control over their data by making it inaccessible without the corresponding key . Therefore, whether to delete information will be determined by the user, not by the service provider. As Timothy C. May, founder of the Cypherpunk movement and technical writer and author of the "Crypto Anarchism Manifesto", said in his article "Cybereconomics", encryption is a A "pre-emptive protection" . Despite these advantages, encryption has its own problems. First, the concept of encryption is often associated with criminals and terrorists because many people still believe in the "Nothing to hide" fallacy: if you have nothing to hide, you have nothing to fear. Means you don't have to use privacy-preserving tools like encryption. At the same time, countries such as Australia have even passed legislation to compel communication companies operating in the country to install backdoors or implant malware in their products for the government, making encrypted data impossible for ordinary people. Additionally, encryption is incompatible with many existing platforms, including Google and Amazon, which would render their services unusable.

The current status of the right to be forgotten in Chinese law

Although Beijing Haidian District People's Court and Beijing No. 1 Intermediate People's Court both stated that the right to forget does not exist in Chinese law, in fact, similar concepts can be seen everywhere in Chinese laws and regulations, legislative proposals or judicial decisions . For example, Article 36 of China's Tort Liability Law stipulates: "If a network user uses network services to commit tortious acts, the infringed has the right to notify the network service provider to take necessary measures such as deletion, blocking, and disconnection."; Article 43 of China's Cybersecurity Law also stipulates: "Individuals have the right to request the network operator to delete their personal information if they find that the network operator has violated the provisions of laws, administrative regulations or the agreement between the two parties to collect or use their personal information; If it is found that the personal information collected and stored by the network operator is wrong, it has the right to request the network operator to correct it. The network operator should take measures to delete or correct it.” Therefore, it is said that there is no right to be forgotten (right to deletion) in Chinese law. It is inaccurate, rather the right to be forgotten in Chinese law is more moderate and restrictive, as opposed to the more radical and straightforward form adopted by EU countries . In incorporating the right to be forgotten into its legal system, China's approach is somewhat more similar to that of the United States. Although U.S. judges discussed the concept of the right to be forgotten as early as the 1940s in Sidis v. FR Publishing Corp., today, even in what is recognized as U.S. The right to be forgotten is not formally enshrined in the California Consumer Protection Act (CCPA) of the General Data Protection Regulation, or even in other privacy-related laws and regulations enacted at the federal and state level. establish. In fact, the New York State Legislature introduced a right to be forgotten bill in 2018, but it is far from passing. Of course, that's not to say Americans don't take data privacy seriously. The concept of the right to privacy in the U.S. legal system can be traced back to the Fourth Amendment to the Constitution, which states that “no person shall be free from unreasonable search and seizure of his person, home, documents, and property.” Guided by amendments such as the Fourth Amendment, the United States Enacted personal information protection laws, such as the Health Insurance Portability and Accountability Act of 1996, the Privacy Act of 1974, the Electronic Communications Privacy Act of 1986 ” (Electronic Communications Privacy Act), etc., traces of the right to erasure/right to be forgotten can be found in almost every piece of legislation. However, unlike European countries, the United States attaches more importance to the value of freedom of speech and free flow of information, so in order to prevent abuse of the right to erasure/right to be forgotten, the US government is still hesitant to directly incorporate this right into legislation . Likewise, China needs to balance the adequacy of legal remedies provided by existing laws, rules and regulations, the needs of individuals, and the possible negative and positive effects of introducing such rights, in order to avoid adopting a legislation.

in conclusion

The Gonzalez case is a small but vital part of the general public's fight for citizens' privacy rights -- especially in this digital age where tech giants like Google, Apple, Twitter, and Facebook know us well . The case effectively provides users with a shield against the endless leaks and dissemination of privacy on the Internet, a shield that is now further strengthened through legislative means such as the General Data Protection Regulation. Starting from the origin of the right to be forgotten/the right to erasure, this article reviews a series of important historical events that led to the formal implementation of the right to be forgotten in legal provisions, including judicial decisions and legislative processes. This article specifically delves into Article 17 of the GDPR, the “Right to be Forgotten”, and explores which areas are affected by the implementation and scope of this Article. Then, this article shifts the focus to the first right-to-be-forgotten case in China: Ren Jiayu v. Baidu, and analyzes why the courts of first and second instance made the decision to dismiss the plaintiff's right to be forgotten. While praising the courage and creativity of Chinese courts, this article also explores the practical challenges of indigenizing the right to be forgotten, a concept identified by the European Supreme Court: First, the EU Court of Justice judgments and legislation remain generally ambiguous, Therefore, hasty copying of the European model will increase the possibility of abuse of China's data protection system; second, the introduction of the right to be forgotten/erased in Chinese law will place an additional burden on Chinese Internet companies to develop a data protection compliant Regulation’s data management system is technically difficult, and small and medium-sized companies will suffer the most because they may not have enough budget to implement such a system; third, certain provisions in China’s legal system have essentially given the network Users have rights similar to those established by the General Data Protection Regulation and the Court of Justice of the European Union, so a separate provision for the right to be forgotten might not make sense. This article recommends that legislators and regulators carefully weigh different interests such as the need to protect personal information, the current situation in China, the reference value of the EU model, etc., in order to make a reasonable and informed decision on whether to introduce this right. .

references

A5323. Assemb. Reg. Sess. 2017-2018. (NY 2017)

Article 29 Data Protection Working Party. (2014). Guidelines on the implementation of the Court of Justice of the European Unionjudgment on “Google Spain and inc v. Agencia Española de Protección de Datos(AEPD) and Mario Costeja González”. Retrieved from https ://www.pdpjournals.com/docs/88502.pdf

Bernal, PA (2011). A right to delete?. European Journal of Law and Technology, 2(2).

Bowcott O. (2014, July 30). Right to be forgotten is unworkable, say peers. The Guardian. Retrieved November 10, 2019, from https://www.theguardian.com/technology/2014/jul/30/right-to -be-forgotten-unworkable-peers

Case C-131/12 Google Spain SL, Google Inc. vAgencia Española de Protección de Datos and Mario Costeja González, ECLI:EU:C:2014:317 (2014).

Council of Europe. (1981). Convention for the protection of individuals with regard to automatic processing of personal data. Retrieved from

h ttps://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680078b37

Council of Europe. (1953). The European Convention on Human Rights. Retrieved from https://www.echr.coe.int/Documents/Convention_ENG.pdf

Court of Justice of the European Union. (2019, September 24). The operator of a search engine is not required to carryout a de-referencing on all versions of its search engine [Press release]. Retrieved November 10, 2019, from https ://curia.europa.eu/jcms/upload/docs/application/pdf/2019-09/cp190112en.pdf

Cyber Security Law of the People's Republic of China, art. 43 (2017) Zhonghua Renmin Gongheguo Wangluo Anquan Fa.

Deloitte. (2019, Feburuary). After GDPR – Lessons and consequences from the advertiser perspective. Retrieved November 10, 2019, from https://www2.deloitte.com/content/dam/Deloitte/de/Documents/technology/Deloitte_DSGVO_im_Marketing.pdf

Dworkin, G. (1975). Rehabilitation of Offenders Act1974. The Modern Law Review, 38(4), 429-435.

European Commission. (2010). Communication from the Commission to the European Parliament, the Council, The Economic and SocialCommittee and the Committee on the Regions, A Comprehensive Approach on Personal Data Protection in the European Union. Retrieved from https://eur- lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52010DC0609&from=GA

European Commission (2010). European Commission sets out strategy to strengthen EU data protection rules [Press release]. Retrieved November 10, 2019, from https://europa.eu/rapid/press-release_IP-10-1462_en.htm?locale= fr

European Commission. (2015). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protectionof individuals with regard to the processing of personal data and on the freemovement of such data. Retrieved from https:// eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=en

European Commission. (2016). Regulation (EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1573394131021&from=EN

European Convention. (2000). Charter of FundamentalRights of the European Union. Retrieved from https://www.europarl.europa.eu/charter/pdf/text_en.pdf

European Convention. (2007). Treaty of Lisbonamending the Treaty on European Union and the Treaty establishing the EuropeanCommunity, signed at Lisbon, 13 December 2007. Retrieved from http://publications.europa.eu/resource/cellar/688a7a98-3110- 4ffe-a6b3-8972d8445325.0007.01/DOC_19

Google. (nd). Requests to delist content under Europeanprivacy law. (nd). Retrieved November 10, 2019, from https://transparencyreport.google.com/eu-privacy/overview

Hooper J. (2010, February 24). Google executivesconvicted in Italy over abuse video. The Guardian. Retrieved October 10, 2019, from https://www.theguardian.com/technology/2010/feb/24/google-video- italy-privacy-convictions

Lindroos-Hovinheimo, S. (2016). Legal Subjectivity and the 'Right to be Forgotten': A Rancièrean Analysis of Google. Law and Critique, 27(3), 289-301.

Mantelero, A. (2013). The EU Proposal for a General Data Protection Regulation and the roots of the 'right to beforgotten.' Computer Law & Security Review, 29(3), 229–235. doi:10.1016/j.clsr. 2013.03.010

Ren Jiayu v. Beijing Baidu Netcom Science& Technology Co., Ltd., CLI.C.8614731(EN) (2015)

Sanjin B. (2017). Issues of uniformapplication of General Data Protection Regulation(Unpublished master's thesis). Lund University. Retrieved November 10, 2019, from http://lup.lub.lu.se/luur/download?func=downloadFile&recordOId =8926008&fileOId=8926009

Sobkow, B. (2017, June). Forget Me, Forget Me Not-Redefining the Boundaries of the Right to Be Forgotten to Address CurrentProblems and Areas of Criticism. In Annual Privacy Forum (pp. 34-51). Springer, Cham.

Schwartz J. (2009, November 12). Two German KillersDemanding Anonymity Sue Wikipedia's Parent. New York Times. RetrievedOctober 10, 2019, from http://www.nytimes.com/2009/11/13/us/13wiki.html

Secrétariat d'Etat chargé de la Prospective et du Développement de l'économie numérique (2010). Charte sur la publicité ciblée etla protection des internautes. Retrieved from https://assiste.com/Assiste/ftp/Charte_Publicite_Ciblee_du-30-sept-2010 .pdf

Secrétariat d'Etat chargé de la Prospective et du Développement de l'économie numérique (2010). Charte du Droit à l'oubli dansles sites collaboratifs et les moteurs de recherche. Retrieved from https://www.huntonak.com/files/webupload /PrivacyLaw_Charte_du_Droit.pdf

May T. (1994, September 10). The Cyphernomicon [Weblog post]. Retrieved November 10, 2019, from https://nakamotoinstitute.org/static/docs/cyphernomicon.txt

Tort Liability Law of the People's Republic of China, art. 36 (2010) Zhonghua Renmin Gongheguo Qinquan Fa.

Tuscano, J. (2019, September 3). Google Has My DeadGrandpa's Data And He Never Used The Internet. Forbes. Retrieved November10, 2019, from https://www.forbes.com/sites/joetoscano1/2019/09/03 /google-has-my-dead-grandpas-data-and-he-never-used-the-internet/#75dc2ef22b0c

Anderson, Charles & Johnson (2003). Theimpressive psychology paper. Chicago: Lucerne Publishing.

Smith, M. (2001). Writing a successful paper. TheTrey Research Monthly, 53, 149-150.