The High Court has confirmed for the first time that the “right to be forgotten” by search engines, established by the CJEU in Google Spain SL v Agencia Espanola de Proteccion de Datos Case C-131-12  QB 1022, can in some circumstances include the right to require search engines to remove links to reports of an individual’s criminal convictions. In NT1 and NT2 v Google LLC (The Information Commissioner intervening)  EWHC 799 QB, the court considered two cases in which businessmen convicted of conspiracy sought to have links to reports of their crimes removed. One of the claimants succeeded, while the other failed due to the different circumstances of his case. The judgment of Warby J provides useful guidance for search providers facing similar requests in future.
The claimants were referred to by initials in order to protect their identities. Both their convictions occurred more than a decade ago and are now spent. NT1 was convicted of conspiracy to commit false accounting and tax evasion, while NT2 pleaded guilty to conspiracy to tap the phones and hack the computers of environmental activists who had made threats against him and his business. Both asked the court to order Google to remove certain links from searches on their names under ss. 10 and 14 of the Data Protection Act 1998 (the “DPA”) on the basis that the information available at the links was inaccurate and/or likely to cause damage and distress, and they sought compensation under section 13 of the DPA. In response, Google relied on the journalism exemption in s.32(1) of the DPA, amongst other matters.
The claimants also relied on the common law tort of misuse of private information. Although convictions are in principle a matter of public record, in recent years a number of cases have established that once enough time has passed, a conviction that is spent (under the definition in the Rehabilitation of Offenders Act 1974) can be treated as part of an individual’s private life.
While much of the decision turned on the facts of the two cases, the following points of general principle emerge from the judgment:
- A claimant who wishes to challenge the accuracy of data held about him can generally choose whether to claim for defamation, data protection breaches, misuse of private information, or a combination of the three, provided that the claimant’s motivation is not solely to correct misinformation, but also to protect his privacy. It is not an abuse of process to choose to pursue a data protection or privacy claim rather than a defamation claim in these circumstances.
- Search providers will not normally be able to rely on the journalism exception in s.32(1) of the DPA, since they process third party content not only for journalistic purposes as required by that section, but also for commercial purposes. They will also typically have difficulty in establishing a reasonable belief that publication was in the public interest, as also required by s.32(1), since they will usually only consider that question after a complaint is made. Search providers are therefore in a different position to media organisations.
- The DPA regime allows search providers to process information relating to a conviction on the basis that it “has been made public as a result of steps deliberately taken by the data subject” (Schedule 3, Condition 5) in committing the offence.
- At least in cases of this type, there is no material difference between the issues of whether words complained of would be understood to refer to the claimant for the purposes of a defamation claim, and whether data relate to an identifiable individual for the purposes of the DPA.
- The General Data Protection Regulation (GDPR) is not to be used as an aid to interpreting Google Spain or other legal principles applying to events that take place before the GDPR is in force. Rather, in applying Google Spain, the court should weigh the following questions:
- Does the search result relate to an individual, and does the search result come up against a search on the data subject’s name?
- Does the data subject play a role in public life? Is the data subject a public figure?
- Is the data subject a minor?
- Are the data accurate?
- Are the data relevant and not excessive? For instance, do the data relate to the working life of the data subject, do they constitute hate speech, slander, libel or similar offences against the complainant, and is it clear whether the data reflect a personal opinion or are verified fact?
- Is the information sensitive within the meaning of Article 8 of the Data Protection Directive?
- Are the data up to date, and are they being made available for longer than is necessary for the purpose of the processing?
- Is the data processing causing prejudice or a disproportionately negative privacy impact?
- Does the search result link to information that puts the data subject at risk?
- In what context was the information published? For instance, was it voluntarily made public by the data subject or could the data subject reasonably have known that it would be made public?
- Was the original content published in the context of journalistic purposes?
- Does the publisher of the data have a legal power or obligation to make the data publicly available?
- Do the data relate to a criminal offence?
Applying these criteria, Warby J noted that NT1 continued to play a limited role in public life and had been convicted of a business crime, not a matter of a private nature. He had shown no remorse. He remained in business, and the information about his conviction was therefore relevant to the assessment of his honesty by members of the public. There was no evidence of material interference with his right to respect for family life or of damage to his business, and to the extent there was any such interference, it was justified by and proportionate to the right of the public to receive the information. Warby J did not find that any of the information was inaccurate. NT1’s claim therefore failed.
In relation to NT2, Warby J found one of the linked articles to include inaccurate information. He ordered that link to be removed from future searches on the claimant’s name. As regards the other links that did not lead to inaccurate information, Warby J noted that NT2 also remained a public figure to a limited extent. However, he was no longer involved in the same industry as before his conviction, and there was no basis to think that he would repeat his wrongdoing or presented a risk to consumers, customers or investors. He was convicted of an invasion of privacy, not dishonesty. He had acted in a belief that he was defending his business against people responsible for trespass, criminal damage, and death threats, and had shown remorse and pleaded guilty. He had not made any false claims regarding his reputation or integrity. Overall, the information regarding his conviction had therefore become irrelevant.
There was evidence that the ongoing availability of the information was having a profound adverse impact on NT2’s family, including his school-age children, and he provided credible detail regarding damage to his business. It was therefore appropriate to order the links to be removed from search results on his name. However, Google had shown a commitment to complying with the relevant data protection requirements and had taken reasonable care to do so. Therefore, no damages were payable.
Warby J stressed that this decision did not prevent Google from returning any of the links in searches that did not specify the claimant’s name, nor did it automatically follow that the claimant could require the original publishers of the linked articles to take them down.
While search providers will be disappointed with the court’s finding that the journalism exception does not apply, there are also positives to be taken from this judgment. Its detailed and careful reasoning will provide a useful framework for search providers looking to ensure that their processes for reviewing delisting requests comply with data protection requirements. Finally, Warby J’s refusal to order compensation for NT2 demonstrates that the courts are willing to protect search providers who take reasonable care in processing personal data.