Erasing the Past:
How the ‘Right to be Forgotten’ can Strengthen our Privacy Laws”
By: Shiba Ashley A. Fernandez, Atty. Lea Mona P. Chu, and Atty. Rhenelle Mae O. Operario
Still haunted by something from your past? Or trapped by old, outdated, or downright wrong information about you lingering on the internet? What if you had the power to wipe it all away forever?
In today’s digital age, a single click can rapidly spread a person’s personal information, yet not all online content remains accurate; some details become outdated, irrelevant, or false, and once misinformation spreads, it cannot be instantly undone. While technology creates new opportunities, it also threatens privacy and personal rights, making it necessary for laws to evolve and protect individuals.
As early as 1968, the Supreme Court held in the case of Morfe vs. Mutuc1, that the right to privacy is accorded independent recognition and is fully deserving of Constitutional protection, thus:
“The right to privacy as such is accorded recognition independently of its identification with liberty; in itself, it is fully deserving of constitutional protection.
x x x x Protection of this private sector -
protection, in other words, of the dignity and integrity of the individual - has become increasingly important as modern society has developed.
All the forces of the technological age - industrialization, urbanization, and organization - operate to narrow the area of privacy and facilitate intrusion into it. x x x x.”
(Emphasis supplied.)
In Cadajas vs. People of the Philippines 2, the Supreme Court has recognized the right to informational privacy, which encompasses an individual’s control over the processing of personal data, including the right to prevent disclosure on the internet of matters relating to one’s private life, thus:
“x x x x Meanwhile, informational privacy refers to one’s right to control ‘the processing - i.e., acquisition, disclosure and use - of personal information. x x x x
Privacy scholars explain that the right to informational privacy, to a certain extent, requires ‘limitation on inspection, observation, and knowledge by others.’ Thus, it has the following aspects: (1) to keep inalienable information to themselves, (2) to prevent first disclosure, (3) to prevent further dissemination in case the information has already been disclosed. More recently, the European Union has paved way for the fourth aspect - the right to be forgotten, or the right to prevent storage of data.
As regards the first component of the right to informational privacy, a person has the right not to be exposed on the internet in matters involving one’s private life, such as acts having no relation to public interest or concern.” (Emphasis supplied.)
Social media platforms and search engines have made personal information more accessible than ever. With just a single click, sensitive data can be exposed and widely shared, often without an individual’s awareness or consent, creating risks of privacy breaches and reputational damage. This underscores the pressing need to safeguard personal data and protect the right to informational privacy.
Many countries are updating their privacy laws to address the risks of collecting and sharing personal data online. For example, the European Union’s General Data Protection Regulation (GDPR), one of the world’s most important privacy laws, sets rules on how data is handled across EU countries and gives individuals the important right to be forgotten.
Accordingly, the fundamental right to privacy has evolved into what is now called the “right to erasure,” more commonly known as the “right to be forgotten.” This right enables individuals to regain control over their digital presence by requesting the deletion of personal data—whether because it is no longer necessary for its original purpose, consent has been revoked, or its continued use is unlawful or harmful to their rights and freedoms.
The right to be forgotten was first highlighted in the landmark case of
Google Spain SL and Google Inc. vs. Agencia Española de Protección de Datos and Mario Costeja Gonzalez3
(Costeja ruling). In this case, González asked a Spanish newspaper, La Vanguardia, to remove pages with personal information about him. He also requested that Google hide or delete links to these pages, since the legal case mentioned had already been settled years earlier and was no longer needed. The EU Court ruled in González’s favor, stating that people can ask to remove links to lawfully published pages if the information has become outdated or harmful. This landmark decision established the “right to be forgotten,” but also clarified that it is not absolute and must be balanced with freedoms like expression, speech, and the press.
Prompted by the Costeja Ruling, Section 17 of the General Data Protection Regulation (GDPR)4 formally codified the right to erasure, commonly referred to as the “right to be forgotten,” to wit:
The right to be forgotten lets people request the deletion of their personal data when it is no longer needed, relevant, or lawful, and requires prompt action from data controllers. However, under the GDPR, this right is limited and must be balanced with other rights, such as freedom of expression.
In the Philippines, the Congress enacted Republic Act No. 10173, or the “Data Privacy Act of 2012” (DPA), it upholds the fundamental right to privacy by setting clear rules on the collection, use, storage, and disclosure of personal information, while balancing this protection with the free flow of information. Although the DPA does not expressly recognize the right to be forgotten, it nevertheless grants data subjects certain rights, including the ability to request the removal or blocking of personal information.
Under Sec. 16 (e) of R.A. 101735, it recognizes the data subject’s right to demand the deletion or destruction of their personal data under certain circumstances, thus:
Additionally, Rule VIII, Sec. 34(e) of the Implementing Rules and Regulations of R.A. 101736 (DPA-IRR), affirms the data subject’s right to have their personal information erased or blocked from further processing, particularly when such data is found to be inaccurate, outdated, or unlawfully obtained, thus:
Further, the DPA-IRR7 provides for instances as to when the right to erasure and blocking of personal data, thus:
In Atty. Co-Pua’s dissertation, entitled “The Right to be Forgotten: The Delicate Balance Between Personal Privacy and Public Interest Towards a Proposed Amendment of the Philippine Data Privacy Act of 2012”8 , she compares the GDPR and the DPA by discussing the challenges of the right to be forgotten and how it can be balanced with the public’s right to information. She ultimately calls for its formal recognition through amendments to the Philippines’ Data Privacy framework.
The DPA shares significant similarities with the GDPR, especially in recognizing a person’s right to request the deletion of personal information. This is expected since many of its provisions were adapted from the GDPR. In line with this, Section 11(c) of the DPA9 allows the restriction or destruction of inaccurate or outdated data, providing a clear legal basis for such actions, to wit:
Further, it highlights the similarities between the GDPR and the DPA in three main areas: remedies, coverage, and limitations. In terms of remedies10 , Article 17 of the GDPR grants individuals the right to have their personal data erased without undue delay, while Section 16(c) of the DPA similarly allows requests for the suspension, withdrawal, blocking, removal, or destruction of personal information. As to coverage11 , both laws permit the deletion of data that is no longer necessary, with the GDPR extending this to unlawfully processed information and the DPA covering data that is incomplete, outdated, false, or unnecessary. Regarding limitations12 , the GDPR provides broader exceptions, excluding cases where data processing is essential for freedom of expression, legal compliance, public health, research, or legal claims, whereas the DPA restricts the right to erasure to situations where there is substantial proof that the data is incomplete, outdated, false, unlawfully obtained, misused, or no longer needed.
The similarities between the GDPR and the DPA reflect a shared principle of recognizing an individual’s right to request the removal of personal information under certain conditions. Both laws emphasize giving people control over their data to prevent harm, protect privacy, and uphold human dignity, and while they differ in wording and scope, each affirms the right to request erasure or blocking of personal data.
As such, an example of when the right to be forgotten was exercised in our jurisdiction is when Senator Sotto requested several online news platforms to take down articles linking him to the controversial 1982 rape case involving Pepsi Paloma, which he claimed were “original fake news.”13 Despite public criticism, as it was an attempt to curtail press freedom and expression, the articles became inaccessible, showing that the right to be forgotten can be applied by analogy even without formal legal recognition.
Although the right to be forgotten is not yet expressly enshrined in Philippine law, the framework established by the Data Privacy Act demonstrates that its foundations are already in place, as it allows individuals to request the removal of false or outdated information, reflecting the same principle of the right to be forgotten as adopted from the European Union’s GDPR.
The real challenge lies in refining our legal system and our laws for today’s digital world, where harmful or outdated information can stay online forever and affect a person’s reputation. As we live in an era where information never truly disappears, the right to be forgotten is not just desirable, but necessary to safeguard the rights of every individual.
[1] Morfe vs. Mutuc, G.R. No. L-20387, 31 January 1968
[2] Cadajas vs. People of the Philippines, G.R. No. 247348, 16 November 2021
[3] Google Spain SL and Google Inc. vs. Agencia Española de Protección de Datos (AEPD) and Mario Costeja Gonzalez (C-131/12, 13 May 2014). Retrived from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62012CJ0131
[4] Article 17, General Data Protection Regulation (GDPR). Retrieved from https://gdpr-info.eu/art-17-gdpr/
[5] Republic Act No. 10173, Data Privacy Act of 2012. Retrieved from https://privacy.gov.ph/data-privacy-act/
[6] Implementing Rules and Regulations of Repubic Act No. 10173, also known as the “Data Privacy Act of 2012”. Retrieved from https://privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/
[7] Implementing Rules and Regulations of Repubic Act No. 10173, also known as the “Data Privacy Act of 2012”. Retrieved from https://privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/
[8] Co-Pua,M.J.K. (2019).The Right to be Forgotten: The Delicate Balance Between Personal Privacy and Public Interest Towards a Proposed Amendment of the Philippine Data Privacy Act of 2012. UST Law Journal, Volume 1, Pages 53-83.
[9] Republic Act No. 10173, Data Privacy Act of 2012. Retrieved from https://privacy.gov.ph/data-privacy-act/
[10] Co-Pua,M.J.K. (2019).The Right to be Forgotten: The Delicate Balance Between Personal Privacy and Public Interest Towards a Proposed Amendment of the Philippine Data Privacy Act of 2012. UST Law Journal, Volume 1, Pages 53-83.
[11] Ibid
[12] Ibid
[13] Sotto asks Inquirer.net to remove Pesi paloma stories, 17 June 2018. Retrieved from https://newsinfo.inquirer.net/1001463/sotto-asks-inquirer-net-to-remove-pepsi-paloma-stories –