On 13 May 2014, the Court of Justice of the European Union (CJEU) made a ruling in the case Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez (Case C-131/12) that drastically changed the privacy landscape for European citizens. The outcome of the ruling has come to be known as ‘the Right to be Forgotten’.
Not long after that judgment came the decision of the Grand Chamber of the European Court of Human Rights in Magyar Helsinki Bizottság v Hungary (App No 18030/11). The court was asked to consider whether Article 10 of the Convention could be interpreted as guaranteeing a right of access to information held by public authorities. It declared that when certain criteria are met it could. And so, access to information is now, in essence, a human right.
Finally, there is the question of privacy rights in relation to the dead, where the possibility has emerged that such a claim could be established. The ECtHR has considered the question in the cases: Putistin v Ukraine (App No 16882/03), Yukovlevich Dzugashvili v Russia (App No 41123/10) and Genner v Austria (App No 55495/08). The near ubiquitous use of social media has also introduced a new dimension to personal information. An issue that now arises is what happens to, and who owns, information on social media accounts when someone dies?
I shall be considering these in turn in separate articles divided into: Parts I, II and III.
PART I: THE RIGHT TO BE FORGOTTEN
The Costeja case involved a claim against Google to remove an Internet search result. When the claimant, Mr Costeja Gonzalez, typed his name into the Google search engine, one of the results that appeared was a link to an alleged failure to pay debts dating back to 1998. He argued that the proceedings had been fully resolved and were no longer relevant, and thus the search result should be removed.
The CJEU ruled that the definition of the term ‘controller’ in the context of the Data Protection Directive was wide, and that Google was caught by it. Google therefore has a responsibility to ensure that information that is ‘inaccurate, inadequate, irrelevant or excessive’ is removed if a request is made. The information referring to Mr Costeja Gonzalez was considered to be just so, and the link to it was removed.
As a result of this decision, Google has received hundreds of thousands of requests to remove links to information. A delisting does not however remove the information from the Internet in its entirety. It just makes it much more difficult to find. Initially you could also still find the links if you searched on a different Google domain, for example www.google.fr rather than www.google.co.uk. After France’s Data Protection Agency (‘DPA’) Commission nationale de l’informatique et des libertes objected, Google began to apply geo-location technology to prevent such searches.
Communicating to third parties that a delisting has taken place is still a contentious issue. Google would inform Webmasters of the original content about its decision to delist a search result. In September 2016 the Spanish DPA AEPD, fined the company €150,000 for disclosing delistings involving three data subjects to Webmasters.
Many object to the creation of this new privacy right, pointing to the fact that there is little transparency in the decision process applied by Google in its decision to delist links to certain information. The concept pits the right to privacy squarely against the right to freedom of information. The information that is being removed is not untrue and is arguably a matter of public record, removal of which may have knock-on effects.
Numerous hypothetical situations spring to mind. A fraudster operates a highly sophisticated scam, leaving many people penniless. He is caught and imprisoned. His conviction spent, he requests the delisting of any references to his case. A fellow scammer knows about his operation and adopts it as her own. The people she manages to dupe may not have been, had they read those articles that would have outlined the suspiciously similar details of the original scam.
What if links to articles about numerous successful unfair dismissal and discrimination claims are removed (as they have been). The claimants do not wish for the facts of their cases, or their success at court, to be seen by future employers. Researchers are gathering information from the Internet to assess what particular aspects of unfairness and discrimination in the workplace persists. How accurate can their research be without a full record of incidents?
Of course the flip side is why should a person – who may not have had control of what information about them appeared on the Internet in the first place – not be entitled to their privacy? Should information be available forever, information that can have serious consequences many years later? A young person may have done something regrettable in their past, should they not be entitled to put that behind them?
Whatever one may feel about the correctness of the CJEU decision in Costeja, the principle of the ‘Right to be Forgotten’ appears to be firmly accepted. It has been formally incorporated into the General Data Protection Regulation; it is not going away. What we should consider however, is how it will change our relationship with the Internet in the future. If we cannot be sure what we can no longer read, will we have faith in what we can?
The next part of this series ‘Access to Information, a new Human Right’ will be available next month.
If you are interested in further information or advice, please contact my clerks to instruct me on: 0300 0300 218.