|June 11, 2014|
Previously published on June 5, 2014
You may have read about the recent European Court of Justice decision regarding Google in Spain and “the right to be forgotten”.
There has been heavy press coverage about what this means for Google. However, this is a decision that is likely to affect all businesses. There are also implications that go beyond the judgment. In the next couple of years, the current data protection regime in the EU will be replaced with new Data Protection Regulations. Almost all businesses now deal with data in some way and the changes are worthy of note for companies of all shapes and sizes.
All companies need to be better informed about what this means for them now and in the future. We have put together a short guide which addresses the ramifications of this decision for all companies and offers some practical tips going forward:
Why should you care?
The European Court of Justice’s pertinent ruling last month reaches further than you might think. We examine the consequences in more detail, which are not limited to search engines. We urge all companies, (particularly those who process, control, host, index or cache data) to take note.
TO BEAR IN MIND
1. There is more to it...
This case should not be considered in isolation. A new data protection regulation is anticipated to become European law by 2016 or 2017 (about time, one might say, given that the current law on the subject was passed before Google was even registered as a domain name). To refresh your memories: In the UK, under the Data Protection Act 1998 (which enacts the Data Protection Direction (95/46/EC)) “personal data” means “data which relate to a living individual who can be identified— (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”;
Take note - the Draft General Data Protection Regulation will see this definition rendered even broader, where personal data will mean “any information relating to a data subject”. Only 10% of UK businesses claim to fully understand the ramifications of these new laws, even though they are expected to have an impact on 85% of businesses.
The decision is just one indication that Europe is moving towards the stricter doctrine of the new regulations even before they are officially implemented: it’s time for companies to follow suit by pre-arming themselves with full arsenal to come into line with what the new laws will demand. Google has clearly been forced to take the lead, its CEO promising to become more “European” ahead of the upcoming changes. Google has promised a new level of engagement in Europe over privacy issues and it should not be the only company to do so.
2. Get up to speed...
Or face the consequences. Currently, a company's failure to submit a notification about the data it processes to the ICO can result in fines of up to £500,000. Under the proposed legislation, data controllers will face fines of up to €100 million, or 5% of their annual turnover for ‘serious’ breaches of personal data. They will also have to notify the ICO of data breaches within 72 hours of discovering the breach and notify individuals of personal data breaches where said individuals are likely to suffer an 'adverse effect'.
3. Consider the location of your business operations...
It was Google Inc.’s subsidiary in Spain and in particular its advertising platform which rendered it subject to the Directive. All Companies (not just search engines) need to consider the location and activities of international subsidiaries. Google SL is a separate legal entity established in the European Union, yet because the corporate veil did not absolve its American parent company, Google, Inc., of the need to comply with European law, jurisdiction needs to be considered more broadly now than ever before. Could one of your subsidiaries be held to ‘process’ data? Remember it has to be more than simply targeting UK/EU consumers, ‘establishment’ is key. It also does not matter where the data subject lives, if a citizen of an EU Member State requests a takedown, the controller must comply with the law.
However, there is some debate regarding the enforceability of such fines in the United States. Some suggest this would render this kind of ruling impossible in the US. The First Amendment to the US Constitution elevates free speech interests above privacy concerns, granting an explicit right to discuss, print, or post online most information about others. The free-speech right is explicit, but the privacy right is implicit. Although this decision has caught out a US company on European soil, there is no proof as yet that the US will act in accordance with the ruling on their side of the pond.
4. Wider implications...
A common misinterpretation of the judgment is that what is removed is gone forever. The removal of the links by the search engine does not mean the information can never be accessed again. The underlying articles still exist; you may just have to work a bit harder to find them. However, if removed from search engine lists, a simple internet search which would usually provide a mosaic of information becomes more difficult. Again, this is not limited to search engines. Imagine the effect such takedown requests would have on restaurant, travel or rogue trader review sites, public interest groups and the like.
5. It’s a balancing act...
The internet can lead to interference with the fundamental rights to privacy and protection of personal data and this interference cannot be justified only by the economic interests of a company. However, complying with a takedown request will have to be based on a legitimate interests test and there is a balance to be struck between freedom of speech and data protection laws, the latter of which will take precedence. Considerations include: nature of the story/pictures; sensitivity; public interest; role played by the subject; and age of the information. There is an issue as to whether it is reasonable to expect search engines, for example, to employ such a test with every take down request. Should search engines and the like be required to determine what is in the public interest?
6. Irrelevant vs. Inaccurate...
There is no obligation under the current legislation to remove “irrelevant” data, only “inaccurate” data, the terms are very different. It will all depend on how the ICO and the UK courts choose to interpret the judgment in relation to the Act. As yet, the ICO has not released any official guidance and it has not indicated whether it will: in the meantime, here are some practical steps to consider.
7. Do something about it...
There is no doubt this ruling will strain internal resources. Companies need to ensure their compliance departments are ready to accommodate the changes. It may also be worth considering investment in the development of new technology, further training or even new staff to monitor (on a case-by-case basis) inaccurate, irrelevant or excessive data.
8. Get around it...
It may be worth attempting to fall within the journalistic exemption. Search engines do not fit so obviously within the Directive’s definition of a ‘data controller’ in that they are “intermediaries in the information society,” locating and indexing data where it is available rather than creating the data. What if a search engine were to start a newspaper?
9. Manage it...
It may be that the easiest way to deal with this decision is simply to comply with it. Google has now created an initial online form to deal with removal requests: you must state your country, name, email address, the links you want removed and most importantly “how the URL is irrelevant, outdated, or otherwise inappropriate”. This is a work in progress and is stated to be “an initial effort”. Google will then have to examine each request and decide whether it should be removed. The form also states that Google may forward the request to the relevant data protection authority.
10. Get more answers...
In the absence of any official guidance from the ICO on the decision as yet, it may be up to companies to approach the ICO with a policy as to how they plan to interpret the judgment and the legislation. If the ICO does not accept the approach, and suitable amendmentsto the draft policy cannot be agreed, the next step would be to approach the English Courts for a declaration that the draft policy complies with relevant legislation. Lobbying is also an option. The Article 29 Working Party has taken the front foot on lobbying regarding the new regulations, but this decision could provide the ideal platform for companies more widely, independently or collectively, to be heard. For example, should complainants be required to make an initial complaint to the originator of the data in the first instance before making a complaint to the search engine?
 Regulation on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)
 According to a survey by Trend Micro
 Information Commissioner’s Office