Erasing the Past: How the ‘Right to be Forgotten’ can Strengthen our Privacy Laws”
Shiba Ashley A. Fernandez
Atty. Lea Mona P. Chu
Atty. Rhenelle Mae O. Operario
SEPTEMBER 2025
Still haunted by something from your past? Or trapped by old,
outdated, or downright wrong information about you lingering on the internet? What if you
had the power to wipe it all away forever?
In today’s digital age, a single click can rapidly spread a person’s personal information, yet not all online content remains accurate; some details become outdated, irrelevant, or false, and once misinformation spreads, it cannot be instantly undone. While technology creates new opportunities, it also threatens privacy and personal rights, making it necessary for laws to evolve and protect individuals.
As early as 1968, the Supreme Court held in the case of Morfe vs. Mutuc, 1 that the right to privacy is accorded independent recognition and is fully deserving of Constitutional protection, thus:
In today’s digital age, a single click can rapidly spread a person’s personal information, yet not all online content remains accurate; some details become outdated, irrelevant, or false, and once misinformation spreads, it cannot be instantly undone. While technology creates new opportunities, it also threatens privacy and personal rights, making it necessary for laws to evolve and protect individuals.
As early as 1968, the Supreme Court held in the case of Morfe vs. Mutuc, 1 that the right to privacy is accorded independent recognition and is fully deserving of Constitutional protection, thus:
“The right to privacy as such is accorded recognition independently of its identification with liberty; in itself, it is fully deserving of constitutional protection.
x x x x Protection of this private sector –
protection, in other words, of the dignity and integrity of the individual – has become increasingly important as modern society has developed.
All the forces of the technological age – industrialization, urbanization, and organization – operate to narrow the area of privacy and facilitate intrusion into it. x x x x.”
(Emphasis supplied.)
In Cadajas vs. People of the Philippines,2
the Supreme Court has recognized the right to informational privacy, which encompasses an individual’s control over the processing of personal data, including the right to prevent disclosure on the internet of matters relating to one’s private life, thus:
“x x x x Meanwhile, informational privacy refers to one’s right to control ‘the processing – i.e., acquisition, disclosure and use – of personal information. x x x x
Privacy scholars explain that the right to informational privacy, to a certain extent, requires ‘limitation on inspection, observation, and knowledge by others.’ Thus, it has the following aspects: (1) to keep inalienable information to themselves, (2) to prevent first disclosure, (3) to prevent further dissemination in case the information has already been disclosed. More recently, the European Union has paved way for the fourth aspect – the right to be forgotten, or the right to prevent storage of data.
As regards the first component of the right to informational privacy, a person has the right not to be exposed on the internet in matters involving one’s private life, such as acts having no relation to public interest or concern.” (Emphasis supplied.)
Privacy scholars explain that the right to informational privacy, to a certain extent, requires ‘limitation on inspection, observation, and knowledge by others.’ Thus, it has the following aspects: (1) to keep inalienable information to themselves, (2) to prevent first disclosure, (3) to prevent further dissemination in case the information has already been disclosed. More recently, the European Union has paved way for the fourth aspect – the right to be forgotten, or the right to prevent storage of data.
As regards the first component of the right to informational privacy, a person has the right not to be exposed on the internet in matters involving one’s private life, such as acts having no relation to public interest or concern.” (Emphasis supplied.)
Social media platforms and search engines have made personal information more accessible than ever. With just a single click, sensitive data can be exposed and widely shared, often without an
individual’s awareness or consent, creating risks of privacy breaches and reputational damage. This underscores the pressing need to safeguard personal data and protect the right to
informational privacy.
Many countries are updating their privacy laws to address the risks of collecting and sharing personal data online. For example, the European Union’s General Data Protection Regulation (GDPR), one of the world’s most important privacy laws, sets rules on how data is handled across EU countries and gives individuals the important right to be forgotten.
Accordingly, the fundamental right to privacy has evolved into what is now called the “right to erasure,” more commonly known as the “right to be forgotten.” This right enables individuals to regain control over their digital presence by requesting the deletion of personal data—whether because it is no longer necessary for its original purpose, consent has been revoked, or its continued use is unlawful or harmful to their rights and freedoms.
The right to be forgotten was first highlighted in the landmark case of Google Spain SL and Google Inc. vs. Agencia Española de Protección de Datos and Mario Costeja Gonzalez 3 (Costeja ruling). In this case, González asked a Spanish newspaper, La Vanguardia, to remove pages with personal information about him. He also requested that Google hide or delete links to these pages, since the legal case mentioned had already been settled years earlier and was no longer needed. The EU Court ruled in González’s favor, stating that people can ask to remove links to lawfully published pages if the information has become outdated or harmful. This landmark decision established the “right to be forgotten,” but also clarified that it is not absolute and must be balanced with freedoms like expression, speech, and the press.
Prompted by the Costeja Ruling, Section 17 of the General Data Protection Regulation (GDPR) 4 formally codified the right to erasure, commonly referred to as the “right to be forgotten,” to wit:
Many countries are updating their privacy laws to address the risks of collecting and sharing personal data online. For example, the European Union’s General Data Protection Regulation (GDPR), one of the world’s most important privacy laws, sets rules on how data is handled across EU countries and gives individuals the important right to be forgotten.
Accordingly, the fundamental right to privacy has evolved into what is now called the “right to erasure,” more commonly known as the “right to be forgotten.” This right enables individuals to regain control over their digital presence by requesting the deletion of personal data—whether because it is no longer necessary for its original purpose, consent has been revoked, or its continued use is unlawful or harmful to their rights and freedoms.
The right to be forgotten was first highlighted in the landmark case of Google Spain SL and Google Inc. vs. Agencia Española de Protección de Datos and Mario Costeja Gonzalez 3 (Costeja ruling). In this case, González asked a Spanish newspaper, La Vanguardia, to remove pages with personal information about him. He also requested that Google hide or delete links to these pages, since the legal case mentioned had already been settled years earlier and was no longer needed. The EU Court ruled in González’s favor, stating that people can ask to remove links to lawfully published pages if the information has become outdated or harmful. This landmark decision established the “right to be forgotten,” but also clarified that it is not absolute and must be balanced with freedoms like expression, speech, and the press.
Prompted by the Costeja Ruling, Section 17 of the General Data Protection Regulation (GDPR) 4 formally codified the right to erasure, commonly referred to as the “right to be forgotten,” to wit:
“1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (Emphasis supplied.)
The right to be forgotten lets people request the deletion of their personal data when it is no longer needed, relevant, or lawful, and requires prompt action from data
controllers. However, under the GDPR, this right is limited and must be balanced with other rights, such as freedom of expression.
In the Philippines, the Congress enacted Republic Act No. 10173, or the “Data Privacy Act of 2012” (DPA), it upholds the fundamental right to privacy by
setting clear rules on the collection, use, storage, and disclosure of personal information, while balancing this protection with the free flow of information. Although
the DPA does not expressly recognize the right to be forgotten, it nevertheless grants data subjects certain rights, including the ability to request the removal or blocking
of personal information.
Under Sec. 16 (e) of R.A. 10173, 5 it recognizes the data subject’s right to demand the deletion or
destruction of their personal data under certain circumstances, thus:
Section 16. Rights of the Data Subject. – The data subject is entitled to:
x x x x
(e) Suspend, withdraw, or order the blocking, removal or destruction of his or her personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information; (Emphasis supplied.)
Additionally, Rule VIII, Sec. 34(e) of the Implementing Rules and Regulations of R.A. 10173 6 (DPA-IRR), affirms the data subject’s right to have their personal information erased or blocked from further processing, particularly when such data is found to be inaccurate, outdated, or unlawfully obtained, thus:
“Section 34.. Rights of the Data Subject. – The data subject is entitled to the following rights:
x x x x
e. Right to Erasure or Blocking. The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.” (Emphasis supplied.)
Further, the DPA-IRR 7 provides for instances as to when the right to erasure and blocking of personal data, thus:
“1. This right may be exercised upon discovery and substantial proof of any of the following: –
(a) The personal data is incomplete, outdated, false, or unlawfully obtained;
x x x x
(c) The personal data is no longer necessary for the purposes for which they were collected; (Emphasis supplied.)
In Atty. Co-Pua’s dissertation, entitled “The Right to be Forgotten: The Delicate Balance Between Personal Privacy and Public Interest Towards a Proposed Amendment of the Philippine Data Privacy Act of 2012” 8 , she compares the GDPR and the DPA by discussing the challenges of the right to be forgotten and how it can be balanced with the public’s right to information. She ultimately calls for its formal recognition through amendments to the Philippines’ Data Privacy framework.
The DPA shares significant similarities with the GDPR, especially in recognizing a person’s right to request the deletion of personal information. This is expected since many of its provisions were adapted from the GDPR. In line with this, Section 11(c) of the DPA 9 allows the restriction or destruction of inaccurate or outdated data, providing a clear legal basis for such actions, to wit:
The DPA shares significant similarities with the GDPR, especially in recognizing a person’s right to request the deletion of personal information. This is expected since many of its provisions were adapted from the GDPR. In line with this, Section 11(c) of the DPA 9 allows the restriction or destruction of inaccurate or outdated data, providing a clear legal basis for such actions, to wit:
“Section 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.
Personal information must be,
Personal information must be,
x x x x
(c) Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date, inaccurate or incomplete data must be rectified, supplemented, destroyed, or their further processing restricted. (Emphasis supplied.)
Further, it highlights the similarities between the GDPR and the DPA in three main areas: remedies, coverage, and limitations. In terms of remedies10,
Article 17 of the GDPR grants individuals the right to have their personal data erased without undue delay, while Section 16(c) of the DPA similarly allows requests for the suspension,
withdrawal, blocking, removal, or destruction of personal information. As to coverage11, both laws permit the deletion of data that is no longer
necessary, with the GDPR extending this to unlawfully processed information and the DPA covering data that is incomplete, outdated, false, or unnecessary. Regarding
limitations12, the GDPR provides broader exceptions, excluding cases where data processing is essential for freedom of expression, legal compliance,
public health, research, or legal claims, whereas the DPA restricts the right to erasure to situations where there is substantial proof that the data is incomplete, outdated, false,
unlawfully obtained, misused, or no longer needed.
The similarities between the GDPR and the DPA reflect a shared principle of recognizing an individual’s right to request the removal of personal information under certain conditions. Both laws emphasize giving people control over their data to prevent harm, protect privacy, and uphold human dignity, and while they differ in wording and scope, each affirms the right to request erasure or blocking of personal data.
As such, an example of when the right to be forgotten was exercised in our jurisdiction is when Senator Sotto requested several online news platforms to take down articles linking him to the controversial 1982 rape case involving Pepsi Paloma, which he claimed were “original fake news.”13 Despite public criticism, as it was an attempt to curtail press freedom and expression, the articles became inaccessible, showing that the right to be forgotten can be applied by analogy even without formal legal recognition.
Although the right to be forgotten is not yet expressly enshrined in Philippine law, the framework established by the Data Privacy Act demonstrates that its foundations are already in place, as it allows individuals to request the removal of false or outdated information, reflecting the same principle of the right to be forgotten as adopted from the European Union’s GDPR.
The real challenge lies in refining our legal system and our laws for today’s digital world, where harmful or outdated information can stay online forever and affect a person’s reputation. As we live in an era where information never truly disappears, the right to be forgotten is not just desirable, but necessary to safeguard the rights of every individual.
The similarities between the GDPR and the DPA reflect a shared principle of recognizing an individual’s right to request the removal of personal information under certain conditions. Both laws emphasize giving people control over their data to prevent harm, protect privacy, and uphold human dignity, and while they differ in wording and scope, each affirms the right to request erasure or blocking of personal data.
As such, an example of when the right to be forgotten was exercised in our jurisdiction is when Senator Sotto requested several online news platforms to take down articles linking him to the controversial 1982 rape case involving Pepsi Paloma, which he claimed were “original fake news.”13 Despite public criticism, as it was an attempt to curtail press freedom and expression, the articles became inaccessible, showing that the right to be forgotten can be applied by analogy even without formal legal recognition.
Although the right to be forgotten is not yet expressly enshrined in Philippine law, the framework established by the Data Privacy Act demonstrates that its foundations are already in place, as it allows individuals to request the removal of false or outdated information, reflecting the same principle of the right to be forgotten as adopted from the European Union’s GDPR.
The real challenge lies in refining our legal system and our laws for today’s digital world, where harmful or outdated information can stay online forever and affect a person’s reputation. As we live in an era where information never truly disappears, the right to be forgotten is not just desirable, but necessary to safeguard the rights of every individual.
FOOTNOTES
1. Morfe vs. Mutuc, G.R. No. L-20387, 31 January 1968
3. Google Spain SL and Google Inc. vs. Agencia Española de Protección de Datos (AEPD) and Mario Costeja Gonzalez (C-131/12, 13 May 2014). Retrived from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62012CJ0131
4. Article 17, General Data Protection Regulation (GDPR). Retrieved from https://gdpr-info.eu/art-17-gdpr/
5. Republic Act No. 10173, Data Privacy Act of 2012. Retrieved from https://privacy.gov.ph/data-privacy-act/
6. Implementing Rules and Regulations of Repubic Act No. 10173, also known as the “Data Privacy Act of 2012”. Retrieved from https://privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/
7. Implementing Rules and Regulations of Repubic Act No. 10173, also known as the “Data Privacy Act of 2012”. Retrieved from https://privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/
9. Republic Act No. 10173, Data Privacy Act of 2012. Retrieved from https://privacy.gov.ph/data-privacy-act/
13. Sotto asks Inquirer.net to remove Pepsi paloma stories, 17 June 2018. Retrieved from https://newsinfo.inquirer.net/1001463/sotto-asks-inquirer-net-to-remove-pepsi-paloma-stories
*The views and opinions expressed are based on applicable laws, constitutional provisions, and/or jurisprudence in force at the time of writing, and do not constitute legal advice or an official stance on any political matter. Subsequent legal or factual developments may affect the relevance or applicability of the views and opinions herein expressed.