The great irony of the European Court of Justice’s (“CJEU”) decision concerning Google and the ‘right to be forgotten’ is that the original complainant now has his name at the front and centre of the Judgment, plastered across every legal précis, and when one now searches his name in Google, the very reason for his original complaint is easily identifiable. Should Google remove access to the CJEU’s judgment from its search engine, and any related articles that identify the individual and the basis of his complaint? Or does the very existence of the CJEU decision mean the information concerning the complainant is in fact now ‘adequate’ and ‘relevant’?

One unintended consequence of the CJEU’s decision – but there are others.

As lawyers and companies alike have realised, the CJEU decision has very wide implications compounded by the new Data Protection Regulation with the spectre of fines of up to 5% of the global turnover of the company. The definition of a data controller is now perceptibly very wide indeed. As many commentators have proclaimed, overreaching and overbearing data protection laws are in danger of inhibiting free speech, and there is a particular risk in the area of the exposing of corruption.

There has been an upsurge in interest in the value of the internet and social media and the use of anti-corruption NGOs and their websites to identify and expose corruption. Hillary Clinton recently indicated that social media is a good forum in which to fight corruption and hold governments to account. Senior Director, Elaine Dezenski, Head of Partnering Against Corruption Initiative of the World Economic Forum, emphasized that social media and the internet are the key tools in tackling corruption. We recently saw Ukraine’s Anti-Corruption Center creating the website to publicise information and documentation alleging links between the former regime and corruption.

Unfortunately, the CJEU decision and the existing data protection laws and the new Data Protection Regulation do potentially have further unintended consequences for NGOs and public interest groups, that might not traditionally be classified as journalists, seeking to use social media to identify and publicise corruption. They may well need to comply with the CJEU decision and may not have the benefit of the journalistic exemption that is say available under the UK’s Data Protection Act under Section 32. Indeed, data protection laws are being used to challenge the investigative work of, for example, Global Witness. Four executives of a company have brought legal proceedings in the UK against Global Witness. Global Witness has alleged that the company entered into corrupt contracts to secure mining rights, an allegation the company denies. In their UK lawsuit, apparently four officials of the company have demanded that Global Witness hands over documents that it holds mentioning them or the company, including information on sources, and that Global Witness deletes any inaccurate data it holds. They argue that such documentation should be considered as holding “personal data” under the Data Protection Act.

Article 7(1)(c)(ii) of the Data Protection Act does require the data controller to provide any information available to the data controller “as to the source of those data”. If the claimants are right in their interpretation of the Data Protection Act then this will be of huge concern not just to anti-corruption NGOs but to those brave ‘whistleblowers’ who may have furnished critical evidence but wish their identities to be hidden.

As indicated above, the claimants in the Global Witness case are also seeking an order pursuant to section 14 of the Data Protection Act that Global Witness rectifies, blocks, erases or destroys data held which the Court holds is inaccurate.  This is a rather neat way to circumvent the various defences available to libel defendants – such as fair comment or qualified privilege – potentially forcing Global Witness to defend the truth of the allegations.

Global Witness relies, amongst other arguments, on the section 32 exemption that the processing was required for journalistic purposes. If the Court does not accept Global Witness’ position, NGOs and campaign groups that may be involved in public interest investigations, including those concerning corruption, are likely to strenuously complain that their wings have effectively been clipped by the unintended consequences of data protection laws.

The CJEU decision also suggests that search engines are under some obligation to decide what is in the ‘public interest’ – weighing up privacy against freedom of expression - whether the data they hold (and are processing) is “inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” As the CJEU indicates in its Judgment this may be an easier test to apply if the role played by the data subject is in public life, and that the interference with his or her fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question. But is it right that search engines should be forced to decide what is in the ‘public interest’? Or worse still, are we happy for search engines to take the easy option and simply immediately remove access to information as soon as a complaint is received without applying any form of public interest analysis? If the initial trickle of complaints becomes a flood, that is likely to be the more commercially viable option, particularly if expensive litigation is the downside of not removing the relevant data. There is no obligation on search engines to fight these cases to Judgment.

Another anomaly that is highlighted by the CJEU decision is that a complainant can have his or her data removed by a search engine, but does not have to make any complaint to the originator of the statement. A complainant is highly unlikely to make a request under the Data Protection Act to say a newspaper that can avail itself of the Section 32 defence. Perhaps at the very least there should be some form of pre-condition applied (a successful complaint to the originator of a statement) before a ‘search engine’ can be approached to remove publicly available information.

In the modern world we have to accept that search engines are the gateway to information - a modern day historical archive. Search engines should of course have responsibilities. But should we expect them to be the arbiters of what is in the public interest, and decide what information the public can access, which is what the Information Commissioner presently asks data controllers to do? That responsibility should perhaps lie with a public body, such as the Information Commissioner, and/or the Courts, without necessarily requiring a search engine to play a role in such a decision. Data protection laws must also not be used to stifle responsible speech; if they are or can be, they must be amended as appropriate, or there is the risk that these laws will be used to suppress the identification and reporting of corruption, and have a chilling effect on whistleblowers and those who want to responsibly use their information to expose corruption.