In the last post we charted the development of the regulatory environment following the advent of the so-called ‘right to be forgotten’ (RTBF) following the landmark Costeja judgment. In this post we consider some of the practical problems that the judgment has generated.
What is the required geographical extent of de-listing?
Can the right be implemented merely through de-indexing from national versions of search engines? Can RTBF be considered effective if a user may access all de-indexed material merely by switching to the .com version of the search engine?
In February 2015, Google’s Advisory Council took the view that de-indexing from all Europe-directed search services was sufficient. It noted that “over 95% of queries originating in Europe are on local versions of the search engine” and the “competing interest on the part of users outside of Europe to access information via a name-based search in accordance with the laws of their country”. Accordingly, extending de-listing beyond Europe would be disproportionate. This contradicted the Article 29 Working Party’s earlier guidance of November 2014 which recommended that “de-listing should also be effective on all relevant domains, including .com”.
Unsurprisingly (the Working Party’s members mostly come from national data protection authorities (DPAs)), the latter view appears to have won out. In June, the Commission nationale de l’informatique et des libertés (CNIL), the French DPA, ordered Google to implement delisting irrespective of the extension used. In September an appeal by Google was rejected, it being noted that “geographical extensions are only paths giving access to the processing operation” and that Google’s approach rendered the RTBF hollow by “applying variable rights to individuals depending on the internet user who queries the search engine and not on the data subject”.
Prioritising effectiveness potentially conflicts with the principle of extraterritoriality. CNIL is correct to say that RTBF becomes nonsense if anyone can subvert the protections afforded by merely switching to google.com. Yet the logical conclusion of CNIL’s approach is that the CJEU and DPAs have ultimately granted themselves licence to control what most of the world sees on search engine results.
What approach is taken to the republishing of de-listed material?
To what extent is it permissible or desirable to curb the so-called ‘Streisand effect’, the inadvertent publicising of material that you want supressed? For instance, when an article is published about the de-listing of a previous article including the original personal data?
In August, the Information Commissioner’s Office (The UK DPA) ordered Google to de-list a number of articles relating to an individual’s 10-year-old conviction. In June a Dutch court came to the opposite view, refusing to require de-listing in preliminary relief proceedings, also concerning a 10-year-old conviction.
The distinction was that the former case concerned a spent conviction for a minor offence where there was no need to repeat the complainant’s name. In the latter, a convicted killer was attempting to erase any online link between his name and his victim’s. The court held that (pending final judgment) the victim’s father was entitled to publish material online to frustrate this purpose. So republication will depend on the nature of the story and the manner in which it has been handled.
Has the RTBF blown up the internet?(!)
As of 11 January 2016, Google received 368,565 de-listing requests across Europe with 42.3% of evaluated URLs being removed. In the UK 38.4% of evaluated URLs were removed following 45,338 requests. Well below 1% of UK requests were escalated by complaints to the ICO and very few complaints were successful. Costeja has undoubtedly created a substantial regulatory burden for search engines, but the system appears to be coping.
Early fears of calamity have proven unfounded with search engine operators working constructively with DPAs. The delisting criteria are a sensible attempt to grapple with the problems that have attended the rise of the internet. However, substantial issues remain. The geographical reach of the RTBF requires careful thought. There is also a tension between de-indexing across all European domains given that EU member states have different approaches to freedom of expression (for instance the crime of “holocaust denial” is unknown in English law), which could create a race to the bottom in favour of privacy rights. Nevertheless, the RTBF is here to stay and has found its way into the semi-finalised text of the new General Data Protection Regulation, highlighting the increasing overlap of privacy and data protection rights.