Don't forget you can't always be forgotten
In our last newsletter, we looked at the main issues that the European Court of Justice (ECJ) considered when it determined that Google Inc. must remove links on its search result pages relating to Spanish Citizen, Mr Mario Costeja González.
Since the judgement, there has been much commentary about the decision, some of which is rather misleading...
The 'right to be forgotten' is a brand new right!
The right of individuals to have inaccurate and irrelevant information about them removed is nothing new. The 1995 Data Protection Directive (on which the ruling is based) already includes the principle underpinning the 'right to be forgotten'; ie that a person can ask for their personal data to be deleted once it is no longer necessary.
Claims that the ruling and the proposed General Data Protection Regulation creates something fundamentally new are completely wrong.
What we can say is that there is an evolution of this right, which seems to now also cover profiling concerns and what seems to be a right to reinvent oneself.
The decision means that anyone can have anything removed
Again, this is false.
The ECJ, in its decision, did not elevate the 'right to be forgotten' to some kind of 'super right' which trumps all other fundamental rights, like freedom of expression and freedom of the media. An individual cannot simply request that any and all of their personal information be deleted.
On the contrary, the decision confirmed that the right to get your personal data erased is not absolute and has clear limits. It requires a case-by-case assessment and a fair balance needs to be reached between the legitimate interests of internet users and the individual's fundamental rights.
The balance may depend on the nature of the personal data in question, its sensitivity and the public interest in having that information available.
Mr González's case in itself is an example of this balancing act. Whilst the court ordered Google to remove the links from the search engine results, it did not order the Spanish newspaper to delete the article from its website.
What is all the excitement about then?
Mainly about the jurisdiction point.
Up until recently, one of the reasons consistently invoked by Google to defend its claim that EU data protection laws do not have jurisdiction over the search engine's data processing activities was that the search engine is run by Google Inc. in the US and not the European subsidiaries which, apparently, are simply sales offices.
The decision turned this argument on its head.
Companies that process personal data of EU citizens will therefore find it increasingly difficult to argue that they do not have to comply with EU data protection laws on the basis that they "only have sales offices or branches in the EU".
This aspect of the decision is also very much in line with what is being advocated under the proposed general data protection Regulation (the Regulation). The Regulation will have extra-territorial effect, meaning that it will be applicable to all organisations that process the personal data of EU citizens regardless of whether or not that organisation has an establishment located in the EU.
In a nutshell, the message to global multinationals is clear - do not try to engineer your corporate structure to avoid applicability of the EU data protection laws. It does not work.
What has happened since the decision?
Google has set up an online form for individuals to request that Google removes irrelevant and inaccurate links from the search result of the individual's name. Unsurprisingly, Google has been inundated with requests.
It has been reported that Google is receiving approximately 12,000 requests per day from people wanting certain links about them removed.
We have seen already that Google has removed an image of Max Mosely; at the bottom of the page where the image once was reads a statement: "In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at ChillingEffects.org".
David Smith, Deputy Commissioner, commented about the decision in the ICO blog that:
"[the ICO] expects search providers to start the process of considering what solutions are needed to deal with requests to remove links. Good job then that Microsoft search engine, Bing, has recently confirmed that it is working on a 'special process for residents of the European Union to request blocks of specific privacy-related search results on Bing in response to searches on their names'!!"
For more practical tips on how to ascertain whether you are a controller or not, we have prepared a top ten bulletin - please contact us if you wish us to send you a copy.
This article was written by Janine Regan.
For more information please contact Janine on +44 (0)20 7427 6798 or email@example.com.
News & Insights
Uber data breach highlights notification obligations and GDPR impact
The incident provides a useful reminder of the current laws and imminent changes relating to data breaches.