The recent decision of the European Court of Justice relating to Google and the "right to be forgotten", enabling citizens from the European Union to request search engines operating in Europe to delete, or not to show, certain indexed links, has gone viral.
Since the ruling many journalists, commentators and lawyers have written both about the benefits and disadvantages of the decision and the impact it may have in Europe and globally. However, in the midst of the gale force winds of commentary whipped up by the Google case and the resultant frenzy over privacy rights and the "right to be forgotten", we should pause and ask ourselves: just how ground-breaking is this decision?
This landmark case began in 2010 when a lawyer named Mario Costeja González complained to the Spanish Data Protection Agency that Google had interfered with his privacy by indexing pages from a Spanish newspaper that contained information about Mr González's home being repossessed 16 years ago for outstanding tax debts. Mr González wanted the links removed from Google's indexed search results.
The European Court of Justice found that Google had a duty to remove the links to the 16 year old newspaper articles as the repossession of Mr González's home was no longer relevant to his current situation. In doing so, on 13 May 2014 the Court of Justice held that Google was obliged to remove any links to webpages about a person that contained information that was "inadequate, irrelevant or no longer relevant", "out of date" or "excessive". Following this decision, individuals in Europe now have a "right to be forgotten", which is essentially a right to have irrelevant or out of date information about that person deleted or, rather, not indexed by or appear in search engine results.
To comply with the ruling of the European Court of Justice, Google has launched a "right to be forgotten" help page where individuals can request that certain indexed links on Google be removed. Since the ruling, Google has reportedly received over 70,000 requests from individuals seeking to be "forgotten". Many of these requests have been of a questionable nature and intention. For example, numerous paedophiles have allegedly requested that links relating to their crimes be removed from any Google indexing.
RESPONSES TO THE GOOGLE CASE
The global reaction has been extremely animated with various commentators discussing the "ground breaking" and "landmark" implications of the Google case worldwide.
Privacy advocates argue that the Google case is a step in the right direction towards greater protection of a person's right to privacy and the right to not have irrelevant or out of date personal details publicly available and easily accessible.
Others have criticized the ruling, arguing that: (i) the terms used (such as "irrelevant" or "excessive") are operationally vague; (ii) it is unreasonable from a policy perspective and impracticable to place the burden of determining whether information about a person is "irrelevant", "out of date" or "excessive" on search engine companies such as Google; and (iii) the impact of the ruling is limited in that Google can only remove the queried index matches or links to the offending website. That is, the information will exist on the website even though Google has removed the index link to that site.
It is clear from a quick Google search (noting the irony!) that, globally, there are many varied reactions to the Google case, not just in the media but also from individuals queuing up to request Google to remove certain indexed links. Commentators have pondered the effects of adopting a similar approach in Australia.
However, in the wake of this commentary tornado, it is important to remember that the "right to be forgotten", or at least a version of it, has been around for quite a while in Australia.
THE PRIVACY ACT: CORRECTION OF PERSONAL INFORMATION
The obligation to determine whether any personal information that an organisation holds, uses and/or discloses is "irrelevant" or "out of date" has long been an aspect of the Australian Privacy Act and, from 12 March 2014, the Australian Privacy Principles ("APPs").
Under APP 13 an individual has a right to request that personal information held by an organisation that is "inaccurate, out of date, incomplete, irrelevant or misleading" be corrected. An organisation may also (on its own initiative) correct any personal information that it holds where it is satisfied that the personal information is irrelevant or out of date. In addition, APP 10 provides that organisations have a separate obligation to take reasonable steps to ensure that any personal information that they use and/or disclose is "accurate, up to date, complete and relevant".
This means that individuals in Australia have the right to request that any irrelevant or out of date personal information held by an organisation be corrected to more accurately reflect the individual's current situation. Organisations have the ability to refuse such a request or consider how best to effect the request. That is, organisations operating in Australia are already required to assess and form a view regarding: (i) the meaning of the terms "irrelevant" and "out of date" (noting that the Privacy Commissioner's guidelines provide some direction on these terms); (ii) whether the personal information that the organisation holds is in fact inaccurate or out of date; and (iii) how to correct such information (ie whether to amend or, perhaps, delete the personal information).
Importantly, there is a journalism exception under the Australian Privacy Act which permits media organisations to act or engage in practices that would ordinarily contravene the Privacy Act. This exception enables media organisations in Australia (such as the newspaper that published Mr González's story) to refuse to correct or delete a news article even though the personal information contained in the article may, over time, become irrelevant or out of date.
IS THERE A BIG DIFFERENCE BETWEEN THE "RIGHT TO BE FORGOTTEN" AND THE CORRECTION OBLIGATIONS UNDER THE PRIVACY ACT?
Some commentators have observed that the Google case does not extend or relate to the Australian privacy context as Australia does not have a right to request deletion of personal information. However, this is not strictly true.
The Privacy Commissioner released guidelines on the APPs which provide that, in certain circumstances, "correcting" inaccurate, irrelevant or out of date personal information the only appropriate course may be to delete or de-identify that information. Therefore, in requesting that irrelevant or out of date personal information be corrected, it is not difficult to conclude that an individual may request that their personal information be deleted or de-identified for the purposes of correction by the holder of such personal information. Further, in the process of keeping personal information up-to-date and accurate, an organisation may also be required to delete the out of date or inaccurate information and replace it with updated and currently relevant personal information.
For more information on the obligation to destroy or de-identify personal information, please see our Privacy Updates Australian businesses must destroy or de-identify personal information no longer needed for the purpose(s) authorised and What do death, taxes and deactivated online accounts have in common?
APP 13 requires that an organisation that holds personal information complies with the subsequent correction obligations. While not yet tested in Australia, one could argue that a search engine such as Google at least uses (if not holds) the personal information it collects and displays on its indexed searches/results pages. For example, when one conducts a search of an individual's name through Google (or other search engines), not only are links to the relevant indexed webpages shown but the search engine also displays its own summary of the content on the relevant indexed webpages, known as "snippets". As we understand it, some of the search engines also store the information in these search results and the snippets.
The snippets and the holding/storing of the indexed search results which include personal information in that snippet arguably means that the search engine is in fact collecting, holding and/or using personal information itself, separate and distinct from the original webpage/article. If this is the case, search engines will be required to comply with the APPs in respect of the snippets, including the correction requirements of APP 13. While this may not specifically include deleting links to third party webpages, search engines may have to consider deleting any personal information they hold in respect of indexed search results and snippets where such is no longer relevant, accurate or up to date.
Of course, the organisations that originally collect, hold, use and/or disclose the relevant personal information are more suited to judging the relevancy of any personal information that they are holding. In cases dealt with by the Privacy Commissioner to date, where a company has disclosed personal information online in contravention of the APPs and a search engine has indexed such information (seen in the own motion investigation into Telstra Corporation Limited), the Privacy Commissioner has not yet turned his attention to the relevant search engine(s) involved in indexing such materials. However, perhaps it will not be long before someone in Australia challenges the collection of personal information used in the snippets of indexed search results by search engines.
Now that the dust from the Google case is settling, it is imperative that Australian organisations remember that: (i) the obligation to assess the relevancy and currency of personal information they hold is not in fact "new" to the Australian context; and (ii) from 12 March 2014 a serious breach and/or repeated breaches of this obligation (or any other APP) may lead to fines of up to A$340,000 for individuals or A$1.7 million for corporations.