The UK Information Commissioner’s Office (ICO) recently published a one-page summary of its key findings in relation to this case, along with a blog regarding the practical consequences. This has some interesting and topical views, which I thought I would share with you.
The ICO’s blog post (here, which has a link to its one page case summary) identifies that the case has grabbed headlines, and put data protection issues firmly into the public forum yet again. The ICO note four key findings:
- that search engines may have to remove some search results – but critically this is in respect of their own activities as a data controller, not the removal of the site with the original information on it. The ICO won’t be enforcing this until there are practical ways of removing the search results – in the same way that there was a tolerance period in respect of the new rules on cookies a couple of years ago;
- that the current 1995 EU Directive (which led to the 1998 Data Protection Act) still meets some of the challenges posed by technologies – and that the ICO welcome the judgement confirming that search engines are data controllers;
- applying the “right to be forgotten” will be difficult in practice – many comments seem to overstate the requirements here. There is no absolute “right to be forgotten”, nor a requirement to remove the original material the search engine was linking to, particularly if it is a journalistic matter, art or literature. The ICO envisages that bloggers will use the “journalistic” exemption to apply to them. Here the ICO are realistic as well – the new “right to be forgotten” to be introduced in the new EU Data Protection Regulation will bring individuals closer to having greater rights in their data – but there are still practical considerations to overcome; and
- the judgement may have been delivered, but this is just the beginning – how will search engines comply? How will the competing rights of data controllers and data subjects (you and I) be balanced? Much more guidance is needed in this area, and the ICO are taking this up with their equivalents in other countries to try and determine a common, and correct, approach. In the meantime, the advice is to ensure that if requests are received, that they are considered appropriately, and consistent with the judgement upholding the data protection rights of individuals.