Tuesday, 11 November 2014

Forget-me-not (just forget what I’ve done)

The right to be forgotten

To forget is human.  The problem is, the internet never forgets.  At least, not until now.

Earlier this year, European courts confirmed the right of Europeans in certain circumstances to request that information pertaining to them be deleted from the internet.  This means that they no longer have to rely on peoples’ fading memories for what they have done to be forgotten.

The right to be forgotten

In May 2014, the Court of Justice of the European Union (CJEU) ruled that the 1995 Data Protection Directive contains a right to be forgotten.  In that ruling, the CJEU declared that search engines (such as Google) are ‘controllers’ of personal data.  As such, they have responsibilities in relation to that personal data, including an obligation to remove links to personal data in certain circumstances.  The CJEU further ruled that although the physical server where the data was processed was located in the United States of America, European law is still applicable to search engine operators where they have a branch or subsidiary in a European Member State.

Moreover, although Google and other search engines consider themselves to be effectively electronic card catalogues – they do not create the information that appears in their search results – this CJEU decision makes them nonetheless responsible for that information.  They are forced from a neutral role to an active one, in which they must regulate content.

Application of the right

Since the CJEU decision, individuals have exercised their right to be forgotten with regards to links contained on Google (498,737 links removed from search results), Facebook (3,353 links removed) and YouTube (2,392 URLs deleted).  Of the total requests made, Google has complied with 42%.

Exercising the right to be forgotten

In order to benefit from the right to be forgotten, the individual must make a request to the relevant data controller.  The request must demonstrate how the information is inaccurate, inadequate, irrelevant or excessive for the purposes for which it was collected.  The recipient of the request must weigh those considerations against the public interest in having that information available and other fundamental rights, such as freedom of expression and freedom of the media.

Problems with the right

In practice, it is not the offending article or webpage that is deleted from the internet.  The recipients of the requests, if they choose to comply, simply delete links to the offending article or webpage.  Further, the same search terms entered into Google’s Germany site (Google.de) may yield different results compared to the results that may appear on the Australian site (Google.com.au).  In fact, there is nothing to prevent an individual from carrying out searches on a variety of search engines, or even different versions of the same search engine. 

The right to remember

On the flip side, organisations are starting to claim that the public has a ‘right to remember’.  Both the BBC and the Telegraph have published, and regularly update, lists of links that have been removed from Google under the right to be forgotten.  Websites such as ‘Hidden from Google’ have also been created in response to the right to be forgotten, in which deleted links are listed.  The emergence of these sites brings a new-found interest in articles that may previously have been forgotten about.

The status of the right to be forgotten in Australia

Unlike America, Australia does not have a constitutionally-protected right to free speech which would trump any right to be forgotten, technically leaving the door open to the right to be forgotten to be enacted here. 

Australia does have a pre-existing right under the Privacy Act 1998 (Cth) which requires organisations that are subject to that Act (APP entities) to ensure that the personal information it collects is accurate, up to date and complete.  If the information is not correct, the APP entity must take steps to correct it.

Recently, an Australian Law Reform Commission Discussion Paper proposed the introduction of a new privacy principle which would allow an individual to request the deletion of information that the individual had provided to the APP entity.  Under the proposal, the entity would be required to comply, except in certain limited circumstances.  However, the proposed principle would not allow the individual to request destruction or de-identification of information posted by another individual.  This is in contrast to the European directive, which permits individuals to make takedown requests regardless of the source.

While Australia has not adopted a similar right to be forgotten at this stage, the European decision does have an impact here.  The extra-territorial aspect of the decision may mean that an Australian entity may be required to comply with the right to be forgotten in Europe.  Further, people in Australia that have European citizenship or residency may also have a right to be forgotten, insofar as its application in Europe is concerned.

We will keep you informed on any updates in Australia on this front.

No comments:

Post a Comment