In light of recent European legislation, Christopher Coughlan, solicitor at Ashfords, examines what the impact and scope of the right to be forgotten movement will be.
We are constantly reminded of the dangers of sharing personal data online and we are told that it is imperative that we maintain our data security, but is there anything that we can do about negative content that has been published about us online?
On 13 May the Court of Justice of the European Union (CJEU), handed down a controversial judgment which supported the ‘right to be forgotten’.
The issue was brought before the court when a complaint was made by a Spanish man, Mario González, who discovered that Google searches on his name resulted in links to newspaper articles about his financial affairs, including the repossession of his home. González argued that the financial difficulties had been resolved for a number of years and therefore the references to them were irrelevant.
The two key questions before the CJEU were:
- Does an internet search engine fall under the definition of a data controller for the purposes of the European Data Protection Directive?
- If it does, then can individuals identified in any irrelevant or inaccurate web pages request that the web pages are deleted?
The CJEU found that the answer to both questions is yes and it said that even if the information is true and lawfully published the individual’s fundamental rights to family and private life can take precedence.
In practical terms, this means that internet search engines such as Google, can now be forced to remove data that is ‘inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed’.
The judgment does not consider any of the other fundamental rights enshrined in the European Convention on Human Rights, most notably, the right to freedom of expression. In addition this supposed right to be forgotten is something that caused a lot of debate when the new draft Data Protection Regulations have been discussed in Europe.
The issues highlighted may well be dealt with in the new Data Protection Regulations but in the meantime Google has stated that it intends to comply with the ruling.
Since the 13 May Google has been in discussions with a number of data protection regulators across Europe and it has now launched a service which permits Europeans to request that their personal data is removed from search results.
Google has said that each request will be assessed on a case by case basis and the form that individuals must complete states, that ‘when evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information’.
The Information Commissioner’s Office (ICO) has said that it will give Google time to comply with the judgment and that this right to be forgotten will be difficult to implement. David Smith of the ICO stated that, ‘It is important to keep the implications in proportion and recognise that there is no absolute right to have links removed.’ The ICO will focus on evidence of damage and distress to individuals when assessing complaints made against Google surrounding this right to be forgotten.
Europe’s data protection regulators are set to meet in early June so we may get a clearer picture then on how they intend to regulate this issue. I would expect that we will see some guidance appearing in the near future.
It is important to remember that this only applies to the European Union, so even if an individual is successful in having personal data removed from search results within the EU this information will still appear in Google search results generated outside the EU. Another absurdity to the whole matter is that González, in successfully asserting his right to be forgotten, has reminded us all of the very information that he wants to be forgotten.