With its odd sounding name “The right to be Forgotten” has made its way in recent months into the discussion of privacy/data protection and the internet. This “right” is little more than a long held feeling that an individual should have the ability to remove information from the internet at some point in time based on such reasons as it being incorrect, being unfairly placed on the internet, or simply being having occurred long ago and no longer relevant.
The “Right to be forgotten” was enshrined in the in the 1995 European Data Protection Directive (Directive 95/46 EC). (Directives direct all member States to enact an enforceable framework of laws to give them effect, and form one of the principal bases of governance in the EU). Under Article 12 of the Directive private citizens in the EU were permitted to request removal of information from the Internet. Specifically, Article 12 on the “Right of access” states:
Member States shall guarantee every data subject the right to obtain from the controller:
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.
A recent ruling Judgment of the Court (Grand Chamber) in C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (13 May 2014), has given new teeth to the right to be forgotten and sounded the alarm for search engines, Internet Service Providers and others. The case began in 2010 when a Spanish citizen presented a complaint against a Spanish newspaper and Google with the Data Protection Agency of Spain. Mr. Costeja alleged that a notice of auction in connection with a bankruptcy notice that appeared in Google’s search results violated his right to privacy because the matter to which the notice related had been completely resolved for several years and was no longer relevant. He initially asked that the newspaper be required to either delete the information or change the pages at issue so that the personal data would cease to appear online; and also, that Google Spain or Google Incorporated be ordered to not make the information relating to him available through searches with his name.
The Spanish Audiencia Nacional (similar to a US District Court) decided to stay the proceedings and to refer the case to the Court of Justice of the European Union for opinion on the following broadly stated questions:
(a) Whether the Directive 95/46 EC applied to search engines such as Google;
(b) Whether Directive 95/46 EC applied to Google Spain, given that the company’s data processing server was in the United States;
(c) Whether an individual has the right to request that his or her personal data be removed from accessibility via a search engine under Article 12 (the ‘Right to be Forgotten’).
In answer to these questions, the Grand Chamber, which is comprised of 15 judges (including the president and vice-president) found that:
a) Even in cases where the actual server is located outside of the EU, the laws and Directives of the EU are applicable to search engine providers if they maintain a physical presence in any Member State and carry out business intended toward garnering revenue within the the EU;
b) Search engines should be considered “controllers” of personal data. That by search engines qualify by “…exploring the internet automatically, constantly and systematically in search of the information which is published there, the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results.” As such the right to be forgotten as enshrined in 95/46 EC also applies to them.
c) As to the last question the Court concluded that the Right to be Forgotten extends to “not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” It went on to state that: “even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where those data are no longer necessary in the light of the purposes for which they were collected or processed.”
The Court does go on to that the right to be forgotten is not without limits and must be balanced against “the legitimate interest of internet users potentially interested in having access to that information…” The Court goes on to explain that, “when appraising such requests made in order to oppose processing such as that at issue in the main proceedings, it should in particular be examined whether the data subject has a right that the information relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name.” Interestingly, the Court makes explicit that eth party requesting removal need not establish “that the inclusion of the information in question in the list of results causes prejudice to the data subject.”
With this ruling the EU has confirmed one of the basic rights which to date remained little more than an aspirational right. The question is whether this ruling applies to specific cases affecting an individual’s right to privacy over information that is no longer relevant or inaccurate, or whether it serves as a harbinger of court intervention to establish such other Internet rights as the right to Opt-In, greater protection from Cookies, or the right to be obscure on the Internet?
By Ivan Mercado