Navigating EU Right to be Forgotten Law
The EU’s legislation on the Right to be Forgotten can seem daunting. The correct application requires patience and experience.
Increasingly, everything starts with a Google search. Managing your online footprint is therefore a key part of your reputation management strategy.
As Google is currently facing its first battles in the London High Courts over the Right to be Forgotten—in two cases requesting the removal of information about criminal convictions—the intersection of personal privacy and public interest online is again pushed to the fore.
The EU’s Right to be Forgotten legislation finds its origin in a 2010 Spanish court case concerning an individual’s attempts to remove the URL listing an auction notice of a repossessed home. The citizen lodged a complaint through the national Data Protection Agency and subsequently against Google Spain and Google Inc. The case snowballed and was eventually referred to the Court of Justice of the European Union (CJEU).
The CJEU found, firstly, that the EU’s 1995 Data Protection Directive applies to all search engines—including Google—that have a branch selling advertising space in an EU Member State, regardless of the geographic location of the physical servers that process the data. Secondly, the ruling found that search engines should be legally classified as ‘controllers of personal data’ under EU data privacy laws, and not ‘media’, like newspapers. Thirdly, the CJEU ruled that EU citizens and residents have the right to ask search engines to remove links with personal information about them.
The right to be forgotten is likely to be approved providing its application is balanced against fundamental rights, like freedom of expression and the freedom of the media.
As Google’s official figures demonstrates, actually getting the problematic URL removed from Google’s index is far from easy; over 60% of requests since the initiatives launch on 20 May 2014 have failed.
The crux rests in crafting a carefully worded statement, which establishes beyond doubt that a webpage’s content is—to quote Google’s own Right to be Forgotten Application—‘unlawful, inaccurate, or outdated’.
Google have judiciously developed criteria in alignment with the CJEU’s Article 29 Data Protection Working Party, which offers a guideline on the implementation of the EUCJ’s judgement in the aforementioned Spanish case. Knowledge of Article 29 is therefore necessary for safeguarding online privacy.
The crucial aspect to consider involves the maintenance of what the EUCJ describes as “a fair balance between fundamental rights and interests”. If the information contained on the webpage is deemed to be in the public interest, then proving that the sensitive data’s damage done to the subject outweighs the public interest is especially challenging. For example, Google offers the following reasoning regarding why many URLs are not de-listed:
“Determining whether content is in the public interest is complex and may mean considering many diverse factors, including—but not limited to—whether the content relates to the requester’s professional life, a past crime, political office, position in public life, or whether the content itself is self-authored content, government documents, or journalistic in nature.”
Removing URLs pertaining to individuals in the ‘public eye’ is more difficult, but not impossible. Due to the varied nature of requests Google receives, every request is considered manually (there are no automated procedures) and on a ‘case-by-case’ basis, in order to ensure each case is treated according to its unique context. In practise, this involves a number of operatives, who may take different views on how to apply the right to be forgotten legislation.
In addition, the Right to be Forgotten does not delete information from the original source—i.e. the newspaper’s website—and only results obtained from searches made on the basis of a person’s name will be removed from the search engine’s index, not from the search engine’s entire portfolio of indexes. This means the information will still be obtainable through other “keyword” searches, or by direct access to the publisher’s original source. This is because, as aforementioned, search engines are legally classified as ‘controllers of personal data’ under EU data privacy laws—not ‘media’—and so do not benefit from the various protections and exemptions provided for journalistic work.
The “data subject”—meaning the individual wishing to have sensitive information removed from a search engine index—must be either an EU citizen or resident of an EU Member State. How precisely Britain’s impending exit from the EU will impact British citizen’s access to the Right to be Forgotten is yet to be established. However, with this in mind, it is wise for individuals to apply for the Right to be Forgotten before Brexit is completed.
Interestingly, a 2015 Google transparency report indicated that 95% of Google privacy requests are from citizens aiming to protect their personal and private information. In our experience, in a series of applications, each are dealt with by a variety of different operators. This means that multiple applications give different results, with the result that “chipping away” at right to be forgotten applications bears fruit.
In short, the right hand of Google does not know what the left hand is doing, and we have a track record of success against this background.