The much anticipated commencement date of the newly enacted Protection of Personal Information Act, No 4 of 2013 (POPI) causes us to focus on global approaches to data privacy which will guide the South African interpretation and implementation of personal information protection. Foreign policies and rules and the manner in which foreign courts are recognising the importance of the protection of personal information will be important tools in guiding South Africa in the way personal information is to be protected under POPI.
From a European perspective, the right to protection of personal information under the EU Directive was recently raised within the European Court of Justice (ECJ) in a case brought by a Spanish complainant who complained that an auction notice of his repossessed home (of some 16 years ago) on Google's search results infringed his privacy. A request to the newspaper to remove the particular articles was refused. The complainant then proceeded to raise the issue with the Spanish data protection authority, AEPD. AEPD took legal action in the ECJ against Google to remove the data on the grounds that it compromises the right to data protection and dignity.
The ECJ ruled that Google is to amend its search results at the request of ordinary people in a test of the so-called 'right to be forgotten.' In its judgment, the ECJ ruled that people had the right to request that information be removed if it appeared to be 'inadequate, irrelevant or no longer relevant.' The ECJ held that Google is not merely a processor of information but also a controller of personal data as it determines the purpose of the indexing of information, which was found to constitute the processing of personal data. As such, Google is under certain circumstances obliged to remove links to webpages containing personal data even where it is found that the webpage is lawful.
The Google judgment has been dubbed a 'victory' by some for the protection of personal information and the right to privacy of Europeans and condemned by others saying that it "violates the fundamental principles of freedom of expression." In data privacy arguments, the balancing of these two rights is key and needs to be dealt with on a case-by-case basis. The nature of information and consideration for the data subject's private life must always be taken into account.
Following the Google judgment, the EU Article 29 Working Party adopted guidelines relating to the right to be forgotten. The guidelines establish 13 criteria to be used by national Data Protection Authorities (DPAs) of the European Union member states to assess whether requests to be de-listed from search engine results or to be 'forgotten' are legitimate. These guidelines are non-exhaustive and are to be collectively considered in the context of a particular matter. In summary, the criteria established by the guidelines are:
- Natural persons: EU data protection regulations protect individuals; even nicknames appear to be relevant search terms, accordingly, requests by individuals will carry weight.
- Public figures: The ECJ made an exception for de-listing requests from data subjects that play a role in public life to the extent that there is public interest in having access to information about such persons.
- Minors: The de-listing of personal information relating to a minor will be likely.
- Accuracy: Information which is inaccurate, inadequate or misleading is likely to be considered appropriate for de-listing.
- Relevance: Data which is not relevant to public interest is more likely to be de-listed. The age of such information is also considered in determining its relevance.
- Sensitive information: Content divulging sensitive personal information such as race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health will most likely be successfully de-listed.
- Up to date: If data is out of date or being made available for longer periods than is necessary for the purpose of the processing and continues to be made available after its purpose has been satisfied, such information is likely to be de-listed.
- Prejudice: When personal information is made public and has a disproportionally negative impact on a data subject, a request for de-listing will most likely be successful – although there is no obligation on a data subject to demonstrate prejudice to request de-listing.
- Risk: If personal information which is publically available through search engines results in a data subject being at risk, such data is more likely to be de-listed.
- Context of publication: Consideration must be given to whether the data subject voluntarily made the content publically available, whether the data was intended to be made public or whether the data subject could have reasonably foreseen that the content would be made public. If the data subject consented to such publication and later revokes consent, it is likely that de-listing will be successful.
- Journalistic content: The European data protection rules provide for certain exceptions in respect of the processing of personal data in the context of journalistic purposes. The Google judgment however distinguishes between (a) the original publication by the media, and (b) the legal basis for search engines to organise search results based on a person's name. Thus search engines, such as Google, will not necessarily be able to rely on the rules pertaining to 'journalistic purposes.'
- Legal obligation: Should there be a legal obligation to make private information publically available, de-listing will most probably not be appropriate.
- Criminal offences: As a general rule, de-listing of personal information concerning minor offences from several years prior is more likely to be obtained than de-listing of serious offences that have occurred more recently. Such requests will be dealt with on a case-by-case basis.
As noted above, these are simply guidelines and each request for de-listing will need to be considered on a case by case basis. It is likely that similar actions to that raised in the Google case will be instituted in South Africa once POPI has commenced. As such, the Google case and the Article 29 Working Party guidelines provide valuable guidance to South Africa as to the protection of personal information in terms of POPI, including by providing direction in regard to weighing the right to privacy against the right to access of information.