Right to be forgotten
The right to be forgotten is the development of the previous article in this library on the new data protection regulations (the “Regulations”) refers to the Regulations being in place by 2014 currently that forecast would be optimistic. Viviane Reding (European Commissioner for Justice, Fundamental Rights and Citizenship) the driving force behind the Regulations, has succeeded in getting the Regulations approved by the European Parliament. The European Parliament is the directly elected body that represents citizens of the EU. However getting the Regulations through the Council of Ministers is proving more difficult. The Council of Ministers will not agree the text or even the form of the Regulations. Notwithstanding, there is common ground that the existing directive 95/46/EC is out-dated and should be updated. It is looking likely that Ms Reid will not see the Regulations approved by the Council of Ministers as she may not be re-elected to the European Parliament in the coming elections 22-25 May 2014.
Why are the Regulations proving so difficult to get through the Council of Ministers? Well there are several reasons: one of the reasons is the controversial “Right to be Forgotten”.
The controversy continued heating up on the 13 May 2014 when the Court of Justice of the European Union, Luxembourg (the “Luxembourg Court”) gave Judgment in Case C-131/12 – Google Spain SL, Google Inc. v. Agencia Espanola De Proteccion De Datos – Mario Costeja Gonzalez
This article will examine the facts and judgment in Case c-131/12 in the context of directive 95/46/EC, the Regulations and the right to be forgotten.
In 1998, Mr Gonzalez, a Spaniard, was going through a challenging financial period. There were attachment proceedings for the recovery of social security debts against his property. The property was sold at auction and the debt settled. La Vanguardia Ediciones SL covered the story and their archives (including the story about Mr Gonzalez) were later uploaded to the Web.
Mr Gonzalez felt that this incident in his life was 16 years in the past, and should be forgotten. Mr Gonzalez quite reasonably expected that he could now get on with his life without the stigma of a settled debt incurred 16 years ago. He was not to be so fortunate. The Web version of the La Vanguardia story was available under a Google search of his name. The damaging story ranked high up in the organic results of a Google search under his name.
Fed up with an obviously unfair situation, Mr Gonzalez, lodged a complaint with the “supervisory authority” in Spain the – Agencia Espanola de Proteccion de Datos (AEPD). Mr Gonzalez requested that (i) La Vanguardia remove or alter the article in question; and (ii) that Google Spain (Google in Spain) or Google Inc (Google in the USA) remove the links to the article for the Google index search results.
2 issues here:
First, according to Google the service of web search, as well as the other services available to the users of Google, are managed by Google Inc, a company in the United States. None of their subsidiary companies such as Google Spain or Google UK etc administer Google services, nor do they have the capacity to control the content that is accessible through them. In other words, Google Spain (or in the UK Google UK) may not be a rightful party to a complaint regarding the removal of content from a web search. This issue is relevant to Pillar Two of the Regulations – Non-European companies will have to stick to European data protection law if they operate on the European market.
Second, Google already has internal policies for removing links from Google search results. Anyone can directly contact Google Inc with their complaint at this link. However, Google’s internal link removal policies do not include a “right to be forgotten”. Under the proposed Regulations data subjects will first file their removal request with the data processor.
The Spanish “supervisory authority” – the AEPD- agreed that Google should remove the links from its index but considered that La Vanguardia had lawfully published the initial article. Google Spain and Google Inc unhappy with this decision both applied to the Audencia Nacional (National High Court, Spain), to have the AEPD’s decision declared invalid. As a consequence, the National High Court of Spain referred a number of questions to the Luxembourg Court for a ruling.
The issues that this article consider are:
(i) Are intermediaries (in this case Google) data collectors and data processors for the purposes of the directive 95/46/EC?
(ii) What is the scope of the directive 95/46/EC? Does it cover personal data of EU citizens being processed by any organisation, regardless of their establishment. In other words, will EU Citizens be protected by directive 95/46/EC even where the collection and processing of their data is being carried out by an American company?
(iii) Where the data subject no longer wants their data to be processed, can they get it deleted upon request, when there are no legitimate grounds for retaining it?
The Court ruled in the affirmative on all 3 issues. From the ruling:
Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from these web pages, and even, as the case may be, when its publication in itself on this pages is lawful.
Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may in light of his fundamental rights under Article 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.
The Luxembourg Court’s ruling is crystal clear. There are qualifications to freedom of expression. Contracting Parties to the European Convention on Human Rights are required to adopt measures to prevent interference with the Article 8 Right to Privacy of the individual either by a Contracting Party or by a third party.
Even the Article 10 Right to Freedom of Expression has certain limitations. First interference with freedom of expression may be justified as a result of a specific prescribed law and second the interference must also be necessary in a democratic society.
Article 10 then goes on to list matters as a result of which interference will be warranted by law and by necessity in a democratic society:
(i) in the interests of national security;
(ii) territorial integrity or public safety;
(iii) for the prevention of disorder or crime;
(iv) for the protection of health or morals;
(v) for the protection of the reputation or rights of others;
(vi)for preventing the disclosure of information received in confidence; or
(vii) for maintaining the authority and impartiality of the judiciary.
Although companies like Google are to be greatly admired, no one can seriously suggest that the economic interests of commercial organisations should take precedence over an individual’s right to be forgotten.
This article agrees with Viviane Reding’s claim that the ruling is a “victory for the protection of the personal data of Europeans”. The American first amendment right without strict qualification threatens the rule of law; yet another American paradox.
The irony is that Internet companies (the largest and most influential of which are American) argue vigorously that information on the Internet about a person should not be that person’s proprietary right, yet these same companies want to control all information including personal data. The irresistible rhetorical question is this: if you control and process personal information about someone are you exercising proprietary rights over that person’s personal data?
The way Internet companies want to shape the future of information might not necessarily have anything to do with the public interest. It is the position of this article that taking away the power of the individual to protect his or her own personal data, and giving that power to Internet companies, is more about giving power to Internet companies and less to do with protecting the public interest.
The reason organisations, companies, even governments get away with abuse of privacy and data protection rights is because most people don’t attempt to protect their rights. Mr Gonzalez it seems was determined to do something about his.
Please see our other articles on: