A recent European Union Court decision signals “the right to be forgotten” is gaining momentum. The Court fined Google 900,000 Euros (A$1.32 million) and ordered links to outdated newspaper articles be removed from search results on the basis the links were a breach of privacy. The decision has ramifications for search engines, online publishers and media outlets in the EU, as well as for Australian organisations with EU operations. In Australia, the decision highlights the tension between the right of individuals to protect the privacy of their personal information and the realities of privacy in the digital era.

IT ALL BEGAN WITH A GOOGLE SELF-SEARCH

As many people do, Spaniard Mario Costeja Gonzalez conducted a Google search of his own name. The results included links to two unfavourable La Vanguardia newspaper articles about him from 1998.

Mr Gonzalez asked La Vanguardia to remove or alter those web pages so that his personal information would not appear in Google searches. He also requested Google Spain or Google Inc. delete or hide his personal information so that neither the information, nor the links to the La Vanguardia page, would appear in the search results. Both requests were denied and Mr Gonsalez’s complaint (in relation to Google) was ultimately considered by the European Union Court of Justice.

OVERRIDING RIGHT OF PRIVACY

The Court found that Google Spain and Google Inc had interfered with Mr Gonzalez’s privacy rights and that his privacy rights “override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information.” The privacy obligations Google Spain and Google Inc owed to Mr Gonzalez existed, even though that information had already been lawfully published by La Vanguardia.

Google argued it had no control over, or knowledge of the information and that all data is processed in the same way, whether it is personal information or not. However, the Court found it was irrelevant that processing was automatic and without discrimination: to the contrary, Google Spain and Google Inc were considered “controllers” of information already published by other websites, because in collecting, recording, storing, organising, and disseminating websites in a particular order, Google was processing information separately (and in addition to) La Vanguardia.

The ramifications for search engines operating within the EU are clear: despite dealing with vast amounts of data (often in an automated way), search engines may not be exempt from the application of the principles enshrined in the EU Data Protection Directive and implemented in national laws of Member States. There is a burgeoning right for individuals to be “forgotten”.

DOES THE SAME RIGHT EXIST IN AUSTRALIA?

The short is answer is “no”.

The Australian Privacy Principles contained in the Privacy Act focus on the rights of individuals to access and correct personal information held by an Australian organisation or agency, and the requirements for personal information to be kept up-to-date during its lifecycle and then destroyed (or put beyond use) if it is no longer needed for a legitimate business purpose.  

An individual does not, currently, have a right to request that the organisation delete personal information.

The recent Australian Law Reform Commission’s discussion paper on “serious invasions of privacy” recommends that such a right be introduced as a new APP. Submissions to the ALRC paper closed on 12 May 2014 and we await its recommendations.

Australian organisations conducting business in the EU should be aware they may be bound by EU data protection laws generally. As such, the privacy compliance programs of these organisations may now need to include measures to address this “right to be forgotten”.

MANAGING THE PUBLIC MISCONCEPTION

Even if the “right to request deletion” APP is not enacted into the Privacy Act, there is a general (albeit incorrect) expectation among the public that the rights to request access to and correction of personal information (under APPs 12 and 13) extend to a right to request the deletion of personal information.

In responding to such a request, organisations must bear in mind the public misconception of a “right to be forgotten” before simply denying the request on the basis it is not legally required to delete information.

The best approach is to be proactive and address the issue in your privacy policy. A failure to do so may not (as yet) have legal implications under the Privacy Act, but the risk of brand and reputation damage associated with not properly dealing with consumer concerns about personal information is high and growing.

For Australian organisations already dealing with the increased privacy obligations under the APPs, the Google decision is yet another consideration to bear in mind when developing a privacy compliance program