Earlier this year, the EU Court of Justice handed down its decision in the ‘Right to be Forgotten’ case which gave individuals the right to have their personal information deleted from the internet. The judgement has already resulted in Google and Bing amending their EU privacy procedures and has potentially far-reaching consequences for foreign companies doing business within the EU that collect or process personal information. Lawyer, Leonora Tyers reviews the judgement and its implications.

Facts

The case concerned a Spanish citizen who, in 1998, had his house repossessed and auctioned following court proceedings relating to social security debts. At that time a Spanish newspaper published an article concerning the auction, which was later made available on its website. In 2009 the man became aware that a link to the article appeared in response to a Google search of his name. He sought removal of the article from the newspaper’s website, and of the link to the article from Google search results in accordance with the 1995 EU Data Protection Directive (Directive). He claimed the link and article interfered with his privacy as the proceedings to which it referred were so old as to be irrelevant.

The Directive

The Directive requires EU member states to introduce and enforce certain privacy protections, although the exact implementation is at each member state’s discretion.

The provision of the Directive in question here requires EU member states to ensure personal information is:

  • ‡‡collected and processed fairly, lawfully and for a specified, explicit and legitimate purpose
  • ‡adequate, relevant, not excessive and accurate (ie. complete and up-to-date)
  • ‡‡only kept in a form allowing identification of the person for as long as necessary for the purpose of it collection.

Decision and impact within the EU

The Court held the newspaper was not required to remove the article, but that Google was required to remove the link to it from search results.

In reaching its conclusion the Court found that search engines:

  • ‡‡process and control the personal information on websites for which they create links
  • ‡‡are bound by the Directive if they have branches in or targeted at EU member states to promote and sell ad space to those countries, such as local Google sites like ‘google.co.uk’. It is irrelevant that, as in Google’s case, the personal information is collected and processed entirely in a non-EU country
  • ‡‡will be required to remove infringing links even if the:
    • ‡‡content of the web page is not removed or does not itself infringe the Directive. For example, in this case the newspaper did not have to remove the article because it published the out-of-date information for a ‘journalistic purpose’ which is a defence to the Directive. But Google had to remove the link because it was not displayed for a ‘journalistic purpose’ and so Google could not rely on that defence.
    • ‡‡person is not harmed by the link, and its removal would be costly for the search engine and prejudice the public interest in accessing information. One exception is where the personal information is of a public figure and interference with their privacy it justifiable on public interest grounds

Both Google and Bing responded to the decision by establishing procedures allowing EU residents to lodge complaints about links, with each complaint being individually assessed. However, there was concern that search engines were not in a position to assess the validity of such complaints. On 26 November 2014, in response to those concerns, the EU Article 29 Data Protection Working Party released guidelines on how the Court’s decision should be implemented (Guidelines). To this end, criteria are provided in the Guidelines to guide the decision-making process for complaints brought under the Directive, including:

  • ‡‡whether the link relates to a natural person, and appears in results based on a search of their name
  • ‡‡whether the subject of the link is a public figure or a minor
  • ‡‡whether the information is accurate, relevant, not excessive (having regard to the subject’s working life, whether the information is defamatory, or is clearly identified as an opinion), sensitive, up to date, or relates to a criminal offence
  • ‡‡whether the link is causing prejudice to the subject of the information, or puts them at risk
  • ‡‡the context of the original publication, including whether it was for a journalistic purpose
  • ‡‡whether the publisher of the information has a legal power or obligation to make it publicly available.

Impact outside the EU

This decision illustrates the extent to which EU policy is able to impact foreign companies and has caused concern, particularly in the US, about its potential effect. In particular there are concerns the decision:

  • ‡‡allows the EU to regulate activities of international companies operating within the EU that are undertaken entirely outside the EU
  • ‡‡was initially interpreted by Google as requiring infringing links to be removed only from its EU-specific search engines, such as google.co.uk. The Guidelines, however, advise that “de-listing should also be effective on all relevant domains, including .com”.

This means that all search engine users will have their results altered based on the EU’s judgement as to the correct balance to be struck between privacy rights and free speech. The EU tends to place more emphasis on privacy than Australia and, especially due to its First Amendment protection, the US.

Despite these concerns the EU, with some resistance from the UK, is looking to strengthen its privacy protection by introducing the Data Protection Regulation Art 17 which will significantly impact companies operating within the EU that collect personal information by:

  • ‡clarifying non-EU companies must apply EU rules when offering services to EU residents
  • ‡‡putting the onus on companies to show the personal information is still relevant or needed and should not be deleted, or that an exception (such as freedom of expression, public health, processing for historical, statistical or scientific purposes) applies
  • ‡‡requiring companies to take reasonable steps to inform third parties that an individual wants their personal information to be deleted and to ensure the information is erased
  • ‡allowing data protection authorities to impose fines of up to 2% of annual worldwide turnover.

In an indication of how these issues are being dealt with domestically, on 3 September 2014 the ALRC tabled its Serious Invasions of Privacy in the Digital Era (ALRC Report 123) Report, which considered the possibility of introducing a new Australian Privacy Principle (APP). The proposed APP, known as the ‘right to be deleted’, would allow individuals to request destruction or de-identification of their personal information held by Commonwealth government agencies and private companies, partnerships, unincorporated associations (other than political parties) and trusts with more than $3m annual turnover. Although the ALRC ultimately accepted that this APP should not be introduced without further consideration, it stated that it “remains concerned…that the existing APPs do not require an entity to provide a simple mechanism allowing an individual to request the destruction or deidentification of personal information.” This leaves open the possibility of a future push towards greater privacy protection in a time where old and out-of-date information is increasingly accessible online.