The Interdisciplinary Internet Institute

The landmark Google Spain decision from 2014 established the right to be forgotten (RTBF) or, more precisely, the right to remove inaccurate, irrelevant or otherwise incompatible links that contain personal data.[1] This judgement received massive media attention and filled citizens with hope that in the future they will be able to bring personal data back under their control.

Traditionally, fundamental rights are ‘conceived as liberties’ – consisting of relatively simple, aspirational statements.[2] Administration of these rights is delegated to contemporary human rights institutions.[3] Their “customary vernacular” is often criticized for being insufficient to guarantee the actual enjoyment of the rights. The right to data protection differs from a typical ‘right-conceived-as-liberty’ and should rather be described as a ‘right-conceived-as-affordance’, i.e. a right granting individuals a possibility to act.[4] This active character is in particular reflected through the right to be forgotten, an important building block of the broader right to data protection. The increasing willingness of Europeans to oppose Google’s data processing yields strong proof that the newly established process of link removal did indeed provide some sort of affordance. Until today Google has received over 700.000 requests for removal and has delisted almost 2 million URLs.[5]

Soon after the CJEU judgement in 2014, the right to be forgotten has begun its march across the EU national courts. Out of approx. 700.000 requests that Google has received so far, deletion was only granted in approx. 43 % of the cases. Some of the cases that were not resolved in favour of individuals have ended up at national DPAs and courts.

Despite a high number of cases, the complexity of adjudicating the RTBF has not decreased a bit, neither for Google nor for the courts.[6] Contrasting opinions issued by national DPAs and judges prove that they often encounter difficulties with the interpretation. The RTBF aims to protect the values that are at the heart of data protection – (informational) privacy, personal autonomy and power symmetry.[7] Understanding what the right to be forgotten is about is certainly relevant for its interpretation and application. That said, understanding what the right is not about is equally important. Among other things, the right to be forgotten does not aim to protect commercial interests or to resolve the problem of fake news.

In this blog I consider two recent decisions on the RTBF. They both demonstrate the intention of applicants to expand the right to fit an array of diverse situations. DPAs and courts, in turn, struggle to determine clear boundaries to the RTBF. Some questions might be less daunting, however, if the true nature of the right to be forgotten as a facet of data protection founded on the values of privacy, autonomy and democratic principles, would be taken into account more carefully.

Manni – the analogy of commercial registers to search engines

Manni was an Italian entrepreneur who sued the Lecce Chamber of commerce for not removing his personal data from their commercial register. Registering commercial entities and their directors is a legal obligation in Italy (as well as in other EU countries). The rationale behind the publicity is, among others, protection of (future) commercial transactions between companies and third parties. Manni contended that the fact that his name in the register could be associated with a dissolved company would negatively impact his reputation and therefore infringe his privacy.[8] The fact that data from the register could be reused (and had been reused) by rating agencies specialised in the collection and processing of market information and in risk assessment, represented a particular danger.

The European Court of Justice (CJEU) denied Manni the RTBF. In the analysis it balanced the right to privacy/data protection and the right to publicity (more precisely, the objectives of legal certainty and protection of third parties), and decided that the latter prevails. Two arguments supported the judgement: 1. the commercial register only discloses a limited number of personal data items, 2. Manni has deliberately chosen to participate in trade and should have known that certain publicity is an indispensable part of it. However, the court pointed out that in exceptional circumstances Manni might have the right to object, i. e. a more limited control right under data protection law. This possibility needs to be assessed on a case-by-case basis.

As Kulk and Borgesius note, in the digital age every online publication might have fatal effects on someone’s privacy: “If a public register is published online, its data can be collected and republished by data brokers, journalists, search engines, and others. Such data re-use can serve important goals […]. However, data re-use can also threaten privacy.”[9] Zanfir, while supporting the CJEU ruling, acknowledges the important point that Kulk and Borgesius make, noting that there is still room for improvement of  “…analysing the proportionality of the interference of the virtually unlimited publishing [underlined by H.U.] of personal data in the Companies Register with Articles 7 and 8 of the Charter.”[10]

The CJEU’s arguments could be stronger if they were supported by the purpose and values behind Article 7 and 8.[11] One of these values is personal autonomy, which could offer an additional explanation why in Manni the RTBF cannot outweigh the publicity principle. If a trader could use the right to remove his personal data, it would be the autonomy of his business that would gain protection but not (necessarily) him as a natural person. From the assertions of the applicant, no particular concern about privacy and autonomy of his person can be inferred. Rather, it is his commercial reputation that is at stake. In the light of the growing importance of data-driven processing Kulk and Borgesius’ observation is welcome, but data reuse’s implicit privacy threats seem, at least in this case, insufficient to tilt the balance in favour of the entrepreneur’s privacy.

Marc Savage v. DPA – the right to be forgotten as a tool to address “fake news”?

In 2014 Marc Savage, an Irish politician, demanded from Google to delete the URL containing the following statement: Mark Savage North County Dublin’s Homophobic Candidate.[12] This URL linked to a web forum Reddit where users discussed Savage’s public behaviour and assumed his negative approach to homosexuals.[13] Google refused Savage’s request, asserting that as a public figure, Mr Savage had joined a debate on matters relating to the gay community and that it was in the public interest that internet users have access to his political and cultural views.[14] Savage filed a complaint against Google at the Irish DPA, which later confirmed Google’s decision. The DPA perceived the post as a representation of someone’s opinion and not as a fact that described Savage’s true characteristics. In line with Article 29 Working Party’s guidelines,[15] the DPA found no inaccuracy that would give rise to the right to be forgotten. Moving the case to the judicial branch, Savage challenged the DPA’s holding at the Dublin Circuit Court.

The case is now pending on the Irish High Court and the decision will be delivered in May. Some expect that the notion of “information (in)accuracy” will once again play the decisive role in the decision.[19] While justice Sheahan herself admitted that the appeal turned on a consideration of a narrow premise, it is disappointing that the court remained silent regarding the ways in which the URL to the discussion on Reddit actually influenced (or could influence) individual privacy and other values underlining the right to data protection. Hopefully, the high court will shed more light on the balancing process.[20]

“… users of the internet, now more than ever, rely on it for ascertaining information, and therefore the need for accuracy regarding factual information in same is of paramount importance,” asserted the applicant. While this is indeed true, it remains open whether the right to data protection is an appropriate instrument to address that many highly diverse challenges of the modern data-driven reality.

In conclusion

What is striking in both cases is the fact that the applicants attempt to take the right to be forgotten to its edges, transforming it into a facilitator of not only data protection and privacy but also other interests, such as preservation of commercial interests and the fight against defamatory comments (in the sense of libel) or fake news. While balancing the right to privacy/data protection and the freedom of expression is challenging enough, various interests that also play a role in a growing number of cases additionally complicate courts’ argumentation. It might be helpful to turn back to normative anchors of data protection, which are self-determination, powers’ symmetry and protection of privacy, to set the boundaries to the right to be forgotten.

 

 

Thanks to Pieter, Jenneke and Vivian for their helpful comments.

 

[1] Court of Justice of the EU, C 131/12, Google Spain v. AEPD and Mario Costeja Gonzales, judgment  from May 13,, 2014, para 92.

[2] Cohen, Julie E., Affording Fundamental Rights (March 13, 2017). 4:1 Critical Analysis of Law (2017), pp. 3-4.

[3] Ibid.

[4] Ibid.

[5]  (accessed on March 25, 2017)

[6] https://blog.google/topics/google-europe/reflecting-right-be-forgotten/ (accessed on March 25, 2017)

[7] See for example Lynskey, O., The foundations of EU data protection law (2015), Oxford University Press.

[8] CJEU, C 398/15, Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni, judgment from March 9, 2017.

[9] Kulk, Stefan in Borgesius, Z. F.: Freedom of expression and ‘right to be forgotten’ cases in the Netherlands after Google Spain, European Data Protection Law Review 2015-2, p. 113-125.

[10] Zanfir-Foruna, Gabriela: CJEU in Manni: data subjects do not have the right to obtain erasure from the Companies Register, but they do have the right to object, pdpEcho, available at: https://pdpecho.com/2017/03/13/cjeu-in-manni-data-subjects-do-not-have-the-right-to-obtain-erasure-from-the-companies-register-but-they-do-have-the-right-to-object/.

[11] Unfortunately, to date, the Court has been reluctant to elaborate on the precise content of Article 8.

[12] First Irish ‘Right to be Forgotten’ Case (10 March 2017), Mason Hayes & Curran Tech law blog, https://www.mhc.ie/latest/blog/first-irish-right-to-be-forgotten-case.

[13] https://www.reddit.com/r/ireland/comments/26a486/mark_savage_north_county_dublins_homophobic/

[14] Supra 12.

[15] Article 29 Working Party,  Guidelines on the Implementation of the Court of Justice of the European Union judgment on “Google Spain And Inc v. Agencia Española De Protección De Datos (Aepd) and Mario Costeja González” C-131/12, adopted on 26 November 2014

[16] Mark savage v. Data Protection Commissioner and Google Ireland, Record NO. 2015/-2589, delivered by Judge Elma Sheahan on the 11^th October, 2016.

[17] Ibid.

[18] Unfortunately, the balancing exercise between the freedom of expression of Reddit users and Savage’s right to data protection and privacy is rather implicit and does not allow for a more detailed analysis.

[19] Supra 12.

[20] Also, it would be useful if the court could address the possibility that the case would be considered through the lens of a possible defamation instead of a violation of privacy.

 

One of the big internet cases of this year, the Microsoft Ireland case, has come to an end about a month ago as the 2^nd Circuit Court has handed down it’s ruling in favour of Microsoft. The case made quite a splash and has been covered  before at the RENFORCE blog. With the verdict in, the time is ripe to revisit it and look at it again, this time from a different angle.

The case started when Microsoft was served with a (domestic) search warrant by the U.S. government under the Electronic Communications Privacy Act to produce information relating to a drugs trafficking and money laundering case. The warrant included the production of e-mails  stored behind the msn.com domain, which is operated by Microsoft. Microsoft declined to comply with the warrant as far as the e-mails were concerned because, according to Microsoft, those e-mails were located on servers in Ireland and only there, and therefore not susceptible to a domestic search warrant. More…