Data Protection: The "Right to be Forgotten" Updated









Jane Lambert

The phrase, "the right to be forgotten", was coined by the Audiencia Nacional (the Spanish high court) in its questions to the Court of Justice of the European Union ("CJEU") pursuant to art 267 of the Treaty on the Functioning of the European Union in Case C‑131/12 Mario Costeja Gonzalez v Google Spain SL and another  [2014] 2 All ER (Comm) 301, [2014] All ER (EC) 717, [2014] 1 QB 1022, [2014] 3 CMLR 50, [2014] ECDR 16, 36 BHRC 589, ECLI:EU:C:2014:317, [2014] EMLR 27, EU:C:2014:317, [2014] 3 WLR 659, [2014] EUECJ C-131/12, [2014] QB 1022.

In that case the Audiencia Nacional asked the CJEU

"whether Article 2(b) of Directive 95/46 is to be interpreted as meaning that the activity of a search engine as a provider of content which consists in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of that provision when that information contains personal data. If the answer is in the affirmative, the referring court seeks to ascertain furthermore whether Article 2(d) of Directive 95/46 is to be interpreted as meaning that the operator of a search engine must be regarded as the ‘controller’ in respect of that processing of the personal data, within the meaning of that provision."

The CJEU replied as follows:

"Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d)."

As a consequence of that decision search engine operators such as Google have to comply with the data protection principles set out in art 6 (1) of Directive 95/46/EC when processing search requests relating to living human beings. I discussed that case in Right to be Forgotten: A Transatlantic Dialogue  1 Aug 2015.

Following the CJEU's decision in the Google Spain case, a working party consisting of representatives of the supervisory authorities of each EU member state (including the British Information Commissioner) known as "the Art 29 Working Party" published Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” c-131/12Those Guidelines were applied carefully by Mr Justice Wardle in NT1 and another v Google LLC [2018] EWHC 799 (QB) (13 April 2018).  In that case, two businessmen, known respectively as "NT1" and "NT2", sought orders requiring details of their offending, convictions and sentences to be removed from Google's search results on the grounds that the information was inaccurate, old, out of date, irrelevant, of no public interest, and/or otherwise an illegitimate interference with their human rights.  The judge threw out one of those claims altogether but partially granted the other.   I discussed that case in Right to be Forgotten - NT1 and another v Google 20 April 2018.

One of the changes to data protection law to be brought about by the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") is an express right to be forgotten.  Art 17 (1) of the GDPR provides:

"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a)  the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing;
(c)  the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f)  the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1)."

The data controller also has a further duty under art 17 (2) GDPR to "take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data" taking account of available technology and the cost of implementation.

However, the right to be forgotten is not absolute.  The above obligations do not apply to the extent that processing is necessary:
(a)  for exercising the right of freedom of expression and information;
(b)  for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c)  for reasons of public interest in the area of public health in accordance with points (h) and (i) of art 9 (2) as well as art 9 (3) of the GDPR;
(d)  for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art 89 (1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e)  for the establishment, exercise or defence of legal claims (see art 17 (3) GDPR),

Paragraph (65) of the recitals to the GDPR explains the policy:

"A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims."

The reason for the additional obligation under art 17 (2) is explained in the next paragraph:

"To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request."

With the substitution of the words "domestic law" for "Union or Member State law" in art 17 (1) (e) and art 17 (3) (b) as prescribed by para 17 of Sched 6 to the Data Protection Bill, clause 22 (1) of that Bill provides that art 17 GDPR to the processing of personal data as if it were part of a UK statute.

Anyone wishing to discuss this article or data protection law in general should call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading
20  Apr 2018   Jane Lambert Right to be Forgotten - NT1 and another v Google  NIPC Data Protection
1    Aug 2015   Jane Lambert Right to be Forgotten - A Transatlantic Dialogue   NIPC Law

Comments

Popular posts from this blog

The Supreme Court's Judgment in Eli Lilly v Actavis UK Ltd and Others: how to understand it and why it is important

Pre-Action Correspondence: What to do if you get a Stroppy Letter ....... or worse

When it comes to the Crunch: CRUNCH MORTGAGES and bad faith