Over the last year there has been an increasing focus by the Court of Justice of the European Union ("CJEU") and courts in the UK on the Charter of Fundamental Rights of the European Union (the "Charter") and especially the fundamental right to privacy.

The right to privacy is now overshadowing conflicting rights such as the freedom of expression and freedom to conduct a business and, in some instances, national data protection legislation. 

1. The 'right to be forgotten' - Google Spain SL v AEPD[1]

In May 2014, the CJEU ruled that the operation of the Google search engine involves “the processing of personal data” within the meaning of the Data Protection Directive ("DPD") and Google Inc. is the controller of such processing.

Even though the operator, Google Inc., was a Californian entity, the Court held it subject to the DPD. The Court deemed Google Spain to be an “establishment” of Google Inc. based on a finding that the advertising activities of Google Spain are inextricably linked with the operation of the search engine.

It held the DPD must be interpreted in light of the Charter and the fundamental right to privacy.

The right to privacy will outweigh the economic interests of the operator of the search engine.

Whether the right to privacy will outweigh the interests of internet users in accessing information depends on the nature of the information, the interest of the public in having that information, the effect on the individual and whether or not the data subject is a public figure.

Data which was once lawfully processed may become irrelevant over time, rendering further processing – such as appearing on a search results page – unlawful, giving the data subject a right to demand it no longer appear in search results.

2. Erosion of protections afforded to online companies - Max Mosley v Google[2]

The E-Commerce Directive affords ISPs and social media operators significant protections, recognised by the CJEU in various rulings such as L’Oreal[3] and Sabam 1[4]. The E-Commerce Directive also affords internet users protection from active monitoring.

On 15 January, 2015, the High Court of England and Wales indicated that the E-Commerce protections and the protection of internet users from monitoring could be outweighed by the obligation to ensure there is an effective remedy to protect persons whose data protection rights have been infringed. Mr Justice Mittings found that given its existing technology to prevent access to child abuse images, it may be that Google could block access to the images (of the former Formula-1 boss engaged in private sexual activity) “without impermissible monitoring”.

Accordingly, Google’s application to strike out the proceedings, on the basis the proceedings had no realistic prospects of success, was denied and the case will now proceed to trial. The outcome is eagerly awaited but there may be a CJEU reference before it is resolved.

3. Misuse of private information as a recognised tort - Vidal-Hall v Google[5]

On 27 March 2015, the UK Court of Appeal held that the misuse of private information can be categorised as a tort. Further, the Court held, relying on the Charter of Fundamental Rights, that compensation can be awarded even where there had been no pecuniary loss.

To achieve that result, the Court disapplied Section 13(2) of the UK Data Protection Act, which generally required that damage be suffered before compensation was payable, as not compatible with European law.

There is a clearly perceptible trend here, one which is casting a pall of uncertainty over previously accepted precepts of privacy and internet law. This trend has not yet reached the Republic of Ireland in any substantively decided cases. We can only hope that the position elsewhere in the EU is clarified before it does.