1 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) ) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper with the national Data Protection Agency and against Google Spain and Google Inc. The citizen complained that an auction notice of his repossessed home on Google s search results infringed his privacy rights because the proceedings concerning him had been fully resolved for a number of years and hence the reference to these was entirely irrelevant. He requested, first, that the newspaper be required either to remove or alter the pages in question so that the personal data relating to him no longer appeared; and second, that Google Spain or Google Inc. be required to remove the personal data 10 relating to him, so that it no longer appeared in the search results. The Spanish court referred the case to the Court of Justice of the European Union asking: (a) whether the EU s 1995 Data Protection Directive applied to search engines such as Google; (b) whether EU law (the Directive) applied to Google Spain, given that the company s data processing server was in the United States; (c) whether an individual has the right to request that his or her personal data be removed from accessibility via a search engine (the right to be forgotten ). In its ruling of 13 May the EU Court said : a) On the territoriality of EU rules : Even if the physical server of a company processing data is located outside Europe, EU rules apply to search engine operators if they have a branch or a subsidiary in a Member State which promotes the selling of advertising space offered by the search engine; b) On the applicability of EU data protection rules to a search engine : Search engines are controllers of personal data. Google can therefore not escape its responsibilities before European law when handling personal data by saying it is a search engine. EU data protection law applies and so does the right to be forgotten. c) On the Right to be Forgotten : Individuals have the right - under certain conditions - to ask search engines to remove links with personal information about them. This applies where the 1 See also relevant press release from the Court of Justice of the European Union Justice
2 information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing (para 93 of the ruling). The court found that in this particular case the interference with a person s right to data protection could not be justified merely by the economic interest of the search engine. At the same time, the Court explicitly clarified that the right to be forgotten is not absolute but will always need to be balanced against other fundamental rights, such as the freedom of expression and of the media (para 85 of the ruling). A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual s private life and the interest of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant. 2) The Right to be forgotten: The rules today (1995 Directive) and the rules tomorrow 1010 (proposed data protection Regulation) 0101 The Right to be forgotten in the 1995 Data Protection Directive The 1995 Data Protection Directive (on which the ruling is based) already includes the principle underpinning the right to be forgotten. A person can ask for personal data to be deleted once that data is no longer necessary (Article 12 of the Directive). Claims that the Commission has proposed something fundamentally new in the Data Protection Regulation are therefore wrong. They have been contradicted by the Court of Justice. The data subject s right of access to data Article 12 : Right of access Member States shall guarantee every data subject the right to obtain from the controller : ( ) (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort. Why the proposed Data Protection Regulation is needed The proposed Data Protection Regulation is about much more than the right to be forgotten. It is a fundamental modernisation of Europe s data protection rules, establishing a number of new rights for citizens of which the right to be forgotten is only one (data portability, data breach notifications for instance), creating a single market for data in the European Union and streamlining cooperation between the Member States regulators. In recognising that the right to be forgotten exists, the Court of Justice established a general principle. This principle needs to be updated and clarified for the digital age. The Data Protection Regulation strengthens the principle and improves legal certainty (Article 17 of the proposed Regulation): 1. The right to be forgotten would be an empty shell if EU data protection rules were not to apply to non-european companies and to search engines. The proposed data protection Regulation, for the first time, leaves no legal doubt that no matter where the physical server of a company processing data is located, non-european companies, when offering services to European consumers, must apply European rules (see Article 3 of
3 the proposed data protection Regulation). 2. To make the right to be forgotten more effective for individuals, the Commission has proposed reversing the burden of proof : it is for the company and not the individual to prove that the data cannot be deleted because it is still needed or is still relevant. 3.. The proposed Data Protection Regulation creates an obligation for a controller who has made the personal data public to take reasonable steps to inform third parties of the fact the individual wants the data to be deleted. The European Parliament went even further by including, in its compromise text, an obligation for the controller to ensure an erasure of these data. It also adds that individuals have the right to erasure where a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased. Commission Proposal European Parliament Vote Article 17 Article 17 Right to be forgotten and to erasure Right to erasure The data subject shall have the right to 1. The data subject shall have the right to obtain obtain from the controller the erasure of from the controller the erasure of personal data 0101 personal data relating to them and the relating to them and the abstention from further dissemination of such data, and to obtain abstention from further dissemination of such data, especially in relation to personal from third parties the erasure of any links to, or data which are made available by the data subject while he or she was a child, where one of the following grounds applies: (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data; (c) the data subject objects to the processing of personal data pursuant to Article 19; (d) the processing of the data does not comply with this Regulation for other reasons. 2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. copy or replication of that data, where one of the following grounds applies: (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data; (c) the data subject objects to the processing of personal data pursuant to Article 19; (a) a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased; (d) the data has been unlawfully processed. 1a. The application of paragraph 1 shall be dependent upon the ability of the data controller to verify that the person requesting the erasure is the data subject. 2. Where the controller referred to in paragraph 1 has made the personal data public without a justification based on Article 6(1), it shall take all reasonable steps to have the data erased, including by third parties, without prejudice to Article 77. The controller shall inform the data subject, where possible, of the action taken by the relevant third parties.
4 The proposed Data Protection Regulation allows data protection authorities to impose fines of up to 2% of annual worldwide turnover where companies do not respect the rights of citizens, such as the right to be forgotten. 5. The proposed Data Protection Regulation is also specific as to the reasons of public interest that would justify keeping data online the limitations of the right to be forgotten. These include the exercise of the right of freedom of expression, the interests of public health as well as cases in which data is processed for historical, statistical and scientific purposes. Conclusion : The right to be forgotten ruling makes the adoption of the data protection reform more, not less, urgent. 3) The Right to be forgotten and freedom of expression and the media 1010 The Court in its judgement did not elevate the right to be forgotten to a super right trumping other fundamental rights, such as the freedom of expression or the freedom of the media On the contrary, it confirmed that the right to get your data erased is not absolute and has clear limits. The request for erasure has to be assessed on a case-by-case basis. It only applies where personal data storage is no longer necessary or is irrelevant for the original purposes of the processing for which the data was collected. Removing irrelevant and outdated links is not tantamount to deleting content. The Court also clarified, that a case-by-case assessment will be needed. Neither the right to the protection of personal data nor and the right to freedom of expression are absolute rights. A fair balance should be sought between the legitimate interest of internet users and the person s fundamental rights. Freedom of expression carries with it responsibilities and has limits both in the online and offline world. This balance may depend on the nature of the information in question, its sensitivity for the person s private life and on the public interest in having that information. It may also depend on the personality in question: the right to be forgotten is certainly not about making prominent people less prominent or making criminals less criminal. The case itself provides an example of this balancing exercise. While the Court ordered Google to delete access to the information deemed irrelevant by the Spanish citizen, it did not rule that the content of the underlying newspaper archive had to be changed in the name of data protection (paragraph 88 of the Court s ruling). The Spanish citizens data may still be accessible but is no longer ubiquitous. This is enough for the citizen s privacy to be respected. Google will have to assess deletion requests on a case-by-case basis and to apply the criteria mentioned in EU law and the European Court s judgment. These criteria relate to the accuracy, adequacy, relevance - including time passed - and proportionality of the links, in relation to the purposes of the data processing (paragraph 93 of the ruling). The criteria for accuracy and relevance for example may critically depend on how much time has passed since the original references to a person. While some search results linking to content on other webpages may remain relevant even after a considerable passage of time, others will not be so, and an individual may legitimately ask to have them deleted. This is exactly the spirit of the proposed EU data protection Regulation : empowering individuals to manage their personal data while explicitly protecting the freedom of expression and of the media. Article 80 of the proposed Regulation includes a specific clause which obliges Member States to pass national legislation to reconcile data protection with the right to freedom of expression, including the processing of data for journalistic purposes. The clause specifically asks for the type of balancing that the Court outlined in its ruling whereas today s 1995 Directive is silent implying that data protection could rank above freedom of the media. The Commission proposes to strengthen freedom of expression and of the media through the revision of Europe s data protection rules. Conclusion : The proposed Data Protection Regulation strikes the right balance between the right to the protection of personal data and freedom of expression.
5 Frequently Asked Questions How will the Right to be Forgotten work in practice? Who can ask for a deletion of personal data and how? In practice, a search engine will have to delete information when it receives a specific request from a person affected. This would mean that a citizen, whose personal data appears in search results linking to other webpages when a search is done with that person s name, requests the removal of those links. For example, John Smith will be allowed to request Google to delete all search links to webpages containing his data, when one enters the search query John Smith in the Google search box. Google will then have to assess the deletion request on a case-by-case basis and to apply the criteria mentioned in EU law and the European Court s judgment. These criteria relate to the accuracy, adequacy, 1010 relevance - including time passed - and proportionality of the links, in relation to the purposes of the data processing (paragraph 93 of the Court s ruling) The request may for example be turned down where the search engine operator concludes that for particular reasons, such as for example the public role played by John Smith, the interest of the general public to have access to the information in question justifies showing the links in Google search results. In such cases, John Smith still has the option to complain to national data protection supervisory authorities or to national courts. Public authorities will be the ultimate arbiters of the application of the Right to be Forgotten. The Right to be Forgotten is a right which is given to all citizens in the EU, no matter what their nationality, subject to the conditions outlined above. How is Google expected to comply with this ruling? Will it not be very costly for search engines to comply? It is not yet possible to determine how the ruling of the Court on the Right to be Forgotten will impact the number of people who ask to have their data deleted from Google. In any event, Google already has a system in place to handle deletion requests, such as national identification numbers (like U.S. Social Security Numbers), bank account numbers, credit card numbers and images of signatures. It also has set up a parallel system for dealing with take-down requests for copyright violations. What will the Commission do now? This ruling has confirmed the main pillars of the data protection reform. The Commission will continue pushing for a speedy adoption of the data protection reform, including the reinforced and modernised Right to be Forgotten. The Commission expects search engine operators to further develop well-functioning tools and procedures, which ensure that individuals can request the deletion of their personal data when they are inaccurate, inadequate, or irrelevant or no longer relevant under the control of competent authorities in particular data protection authorities.
Court of Justice of the European Union PRESS RELEASE No 70/14 Luxembourg, 13 May 2014 Press and Information Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos,
The Guide to Data Protection Contents Introduction 1 Key definitions of the Data Protection Act 4 The Data Protection Principles 19 1. Processing personal data fairly and lawfully (Principle 1) 20 2. Processing
Freedom of information guidance Exemptions guidance Section 41 Information provided in confidence 14 May 2008 Contents Introduction 2 What information may be covered by this exemption? 3 Was the information
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
Public Sector Data Sharing: Guidance on the Law Section 1 - Introduction Section 2 - Overview of existing legal framework Section 3 - Power to share data Section 4 - The Data Protection Act 1998 Section
Data protection Subject access code of practice Dealing with requests from individuals for personal information Contents 3 Contents 1. About this code of practice 4 Purpose of the code 4 Who should use
The right to be forgotten between expectations and practice The right to be forgotten between expectations and practice I Contributors to this report Authors: Peter Druschel (Max Planck Institute for Software
November 2012 2/40 Table of Content INTRODUCTION 5 Why do we need this guide? 5 The rules at a glance 5 PART I: POSTING OF WORKERS 6 1. Which social security system is applicable for employees temporarily
The Human Rights Framework as a Tool for Regulators and Inspectorates Contents Foreword 5 Part 1: Introduction and Background 7 Who should use this handbook and why? 8 What is the human rights framework?
Council of the European Union Brussels, 9 March 2015 (OR. en) Interinstitutional File: 2012/0011 (COD) 6833/15 NOTE From: To: Presidency Council DATAPROTECT 26 JAI 156 MI 144 DRS 18 DAPIX 30 FREMP 45 COMIX
THE PLAIN LANGUAGE VERSION OF THE PROMOTION OF ACCESS TO INFORMATION ACT CONTENTS Part 1: Introduction What is the Act trying to achieve? Who does the Act apply to? Part 2: Provisions in the Act relating
On the Record A Practical Guide to Information Privacy 3 rd Edition On the Record 3rd edition Published by the Office of the Privacy Commissioner 2011 1st Edition 1999 2nd Edition 2000 PO Box 10094 Level
Queensland building work enforcement guidelines Achieving compliance of building work with the provisions of the Building Act 1975 and the Integrated Planning Act 1997 Effective 1 September 2002 Contents
DIRECTORATE GENERAL FOR INTERNAL POLICIES POLICY DEPARTMENT C: CITIZENS' RIGHTS AND CONSTITUTIONAL AFFAIRS CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS Protection of Personal Data in Work-related Relations
AFRICAN UNION CONVENTION ON CYBER SECURITY AND PERSONAL DATA PROTECTION EX.CL/846(XXV) AFRICAN UNION UNION AFRICAINE UNIÃO AFRICANA P.O. Box: 3243, Addis Ababa, Ethiopia, Tel.: +251-115 18 24 02 Fax: +251-115
27.12.2006 L 378/1 I (Acts whose publication is obligatory) REGULATION (EC) No 1901/2006 OF THE EUROPEAN PARLIAMT AND OF THE COUNCIL of 12 December 2006 on medicinal products for paediatric use and amending
845(E) Joint Recommendation Concerning Provisions on the Protection of Marks, and Other Industrial Property Rights in Signs, on the Internet (with Explanatory Notes) Adopted by the Assembly of the Paris
Special Education A service, not a place. Notice of Special Education Procedural Safeguards for Students and Their Families Requirements under Part B of the Individuals with Disabilities Education Act,
Settlement Agreements: A Guide Acas can help with your employment relations needs Every year Acas helps employers and employees from thousands of workplaces. That means we keep right up to date with today
Chapter 5 International Treaties and Conventions on Intellectual Property The Paris Convention for the Protection of Industrial Property History Principal Provisions Administrative and Financial Provisions
CONCEPT PAPER Investment in TTIP and beyond the path for reform Enhancing the right to regulate and moving from current ad hoc arbitration towards an Investment Court Investment is essential for growth
Privacy and Electronic Communications Regulations Direct marketing 1 ICO lo Data Protection Act Privacy and Electronic Communications Regulations Contents Introduction... 3 Overview... 4 Legal framework...
Dealing with vexatious requests (section 14) Freedom of Information Act Contents Introduction... 3 Overview... 3 What FOIA says... 4 Application of section 14(1)... 5 The meaning of vexatious... 6 Identifying
FATF Guidance politically exposed persons (recommendations 12 and 22) June 2013 FINANCIAL ACTION TASK FORCE The Financial Action Task Force (FATF) is an independent inter-governmental body that develops
CUSTOMERS BANK ONLINE & MOBILE BANKING ACCESS AGREEMENT 1) Scope of Agreement 2) Definitions 3) Terms and Conditions of Online Banking A. Requirements B. Online Banking Services - General C. Electronic