The right to be forgotten – who can decide?

A discussion of the right to be forgotten in the context of the new EU data protection proposals.

10 May 2013

At the start of 2012 the European Commission proposed a new framework for the regulation of the protection of personal data within the European Union.  These proposals have been much commented upon at both a national and European level. The current Irish Presidency of the EU is making great efforts to get agreement so that this new Regulation can be finalised before the European Parliament elections scheduled for 2014.

One aspect of these new proposals which has received much comment is the so-called “right to be forgotten”. The aim of these provisions is to be applauded – there is much concern that comments and photographs posted online by or about children (in particular but the right is not for children alone) will follow them into their adulthood.  Essentially the right to be forgotten will allow individuals to “wipe the slate clean” and be able to request that those holding their personal data remove the digital copies of the information.

A recent example of the sort of situation that this is trying to capture can be seen in the case of Paris Brown, who was appointed as Youth Police and Crime Commissioner for Kent but who has since had to resign after complaints were made about the alleged racist and homophobic nature of tweets she made in previous years.  Having said that even if she had asked Twitter to remove her account (which has now been done) there would have been no guarantee that copies of the comments would not have been found somewhere.  This emphasises one of the potential flaws in providing this right - whether it is actually practical as it may prove impossible to track down all cached copies of the information in question.  Equally it raises questions of data integrity and accuracy of archives.

Although this is much vaunted as a new right there is a strong argument that it simply builds on existing rights under the current data protection framework – the EU Data Protection Directive of 1995 upon which our Data Protection Act 1998 is based.  An example can be seen in the referral by the Spanish High Court (Audencia National) to the European Court of Justice (CJEU).  This case involves an individual who made a complaint to the Spanish Data Protection Agency (Agencia Española de Protección de Datos) after doing a Google search of his name and finding a link to newspaper advertisement for a sale of a property which related to an old (and now resolved) debt.  The person had asked Google to remove the link but they had not done as requested so he complained to the Spanish Data Protection Agency.  The Agency agreed with the position of the individual and asked that Google remove the link.  Google failed to do this as it was of the opinion that as the advertisement was published in a newspaper the link should not be taken down.  Google appealed and the court has referred a number of questions to the CJEU.

The referral questions how far existing rights allow someone to be forgotten about by a search engine.  Do the rights to erasure and blocking of data and the right to object to processing of personal data cover this situation – i.e. do they mean that an individual can request that a search engine must prevent indexing of their personal data even although the information is lawfully published on third parties' web pages?

The questions also include important issues such as whether Google is a data controller in these circumstances or merely a host (and therefore not liable for processing of personal data in terms of the 1995 Directive).  Equally important is the question of, if it is considered that Google is processing personal data (and therefore is a data controller), whether the Spanish Data Protection Agency has jurisdiction over Google.  Google is based in California but has a presence in Google Spain however this presence is purely for the purposes of selling advertising space and is not to do with the indexing of web pages located in Spain for the purposes of Google search results.  Is this advertising business sufficient to provide jurisdiction? Or can the Agency claim jurisdiction on the basis that the individual is located there and therefore the Agency is best placed to fulfil the individual’s rights?  The Agency believes it has jurisdiction but will the CJEU agree?

A similar issue has recently been ruled upon in Germany in relation to Facebook.  Facebook is also based in California but it has based its non-US and Canadian operations in Ireland.  The issue here was about the Facebook policy of requiring users to register with their real names and not to be able to use pseudonyms.  The data protection regulator for Schleswig-Holstein (the Unabhaengiges Landeszentrum fur Datenschutz) had issued a ruling against this policy.  Facebook appealed and recently the Schleswig-Holstein Administrative Court ruled that German data protection rules do not apply as Facebook’s European operations are run out of Ireland and therefore only Irish data protection laws apply.  This is a blow for German data protection regulators who are notoriously more pro-privacy than other European regulators.

This decision is likely to be appealed but it does highlight one of the main drivers for the new European data protection framework – a perception that despite a common foundation in the 1995 Directive the national implementing legislation is sufficiently different that there is not true harmonisation.  The aim of the new proposals – which are to be implemented by a Regulation, is to remove these national differences.  The differing regimes do however reflect the differing national approaches to the protection of personal data so it remains to be seen whether agreement on these new proposals can be achieved and indeed whether the “right to be forgotten” becomes law at all.