Wednesday, 5 November 2014

Right to be forgotten: When privacy trumps freedom of speech


In the EU, a citizen has the right to be forgotten. This right basically gives you the right to withdraw personal data. Very recently the EU extended this right against search engines like Google. So if your personal data is up on Google, you can ask them to disable links to such information, of course subject to a few conditions.

The European Court of Justice recently read the right to be forgotten within the realm of the 1995 Data Protection Directive. This case has gained immense popularity as it directed the search engine, Google, to remove links which impinged on the complainant's right to privacy.

Before we discuss the case, it is pertinent to understand, very briefly the data protection law that exists in the European Union (EU). The EU in its Data Protection Directive, 1995 expressly protects an individual's right to privacy with respect to processing of personal data. This directive is considered a milestone in the field of privacy laws. The growing dependency on technology and uneven enforcement of the directives forced the EU commission to formulate a new privacy law. Thus, in the year 2012, the commission proposed the new data protection regulation which aims at being a one stop shop for all matters concerning the protection of private data.

The commission's proposal seeks to modernize the 1995 directives such that the right to personal data is protected in the future. They focus on: reinforcing individuals’ rights; strengthening the EU internal market; ensuring high level of data protection in all areas, including police and criminal justice cooperation; ensuring proper enforcement of the rules; and setting global data-protection standards.[1] These regulations basically aim at empowering individuals to take control over their data and ensure that their personal data is protected.  The European Commission will also strengthen individuals’ right to be forgotten.

EU decision on the right to be forgotten
A Spanish citizen, Mario, lodged a complaint against a daily newspaper and Google Spain. Mario in his complaint urged the court to order Google to remove a link of a newspaper article concerning the public auction of his repossessed home. He contended that as this news is old and does not pertain to his current status in society, it infringed his right to privacy. It is relevant to note here, that Mario did not contend that the information is untrue or inaccurate, he merely stated that as the auction notice has no relevance to his present state of affairs and the continued existence of such information violated his right to privacy. He also urged the Court to order the newspaper to no longer keep within its possession such information. The Court recognized the right to be forgotten and ordered Google to deactivate links regarding the auction notice. However the Court struck a balance between the right to privacy and freedom of the media. While the Court ordered Google to delete access to the information deemed irrelevant but it did not rule that the underlying newspaper archive needs to be changed in the name of data protection.

The EU directives impose an obligation on 'controllers' to ensure protection of personal data and also undertake erasure of irrelevant and infringing data. A controller has been defined under the directives to mean a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of processing personal data. The following paragraphs will highlight how the court equated Google to be a controller.

  • Applicability of EU directives to search engines: The court ruled that Google is a controller as it performs the function of processing personal data. Processing of personal data has been defined to mean any operation or set of operations which is performed upon personal data such as collection, recording, organisation, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.  A search engine, like Google, processes personal data as it collects data which it subsequently retrieves, records and organizes within the framework of its indexing programmes, stores on its servers and, as the case may be discloses and makes available to its users in the form of lists of search results. 
  • Right to be forgotten under the 1995 Directives: While reading into an individual's right under Article 12 of the directives, the Court held that individuals have the right to ask search engines to remove links which are inaccurate, inadequate, irrelevant or excessive. The court held that a case by case assessment must be made and the economic interests of the search engine must be weighed vis-a-vis the complainant's right to be forgotten. The court also clarified that this right is not an absolute right and will have to be balanced with other fundamental rights, such as the freedom of media.
The judgment does not clarify how search engines should implement this ruling, which has left Google in a fix. However, Google has introduced erasure forms. Complaints received by them are processed and the appropriate action will be taken. Google has indicated that it received over 12,000 removal requests on day one and over 41,000 requests by day four. Other search engines are also closely monitoring these developments and making the required changes to their privacy policy in order to implement this judgment.

Indian Legal System:
The right to privacy in India is protected under Article 21 of the Constitution of India. This right is not an absolute right and is subject to reasonable procedures established by law. There are no precedents which have interpreted the right to be forgotten as a subset of the right to privacy. Indian law only address direct infringement of privacy and does not give people the right to remove irrelevant and unnecessary information without approaching a court or tribunal. The right of erasure arises only once it is established that the material impinges upon the right to privacy by the relevant court of law.

The Information Technology Act, 2000 and the rules thereunder also do not expressly provide for the right to be forgotten. The only provision which can be read to include the right to be forgotten is the intermediary's duty to remove content which is infringing in nature[2]. This can be read broadly to include the right to be forgotten as the aggrieved can approach the intermediary and prove how the data is infringing in nature. The final decision rests with the intermediary. The other data protection rules merely provide the right to review information given and request for amendments and alterations. These rules do not expressly guarantee the right to be forgotten.

The Shah Committee Report, 2012 proposed that the new privacy law in India must give more powers to individuals. In one of its recommendations it proposed that individuals should have the right to be forgotten. The Report suggested that access to personal information held by a data controller; should be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. The leaked privacy bill 2014 bill is very similar to the EU directive and extends the right to privacy to all residents of India. It imposes obligations on persons in control of data to ensure that privacy of data is maintained and also extends the right to erasure of data on residents.

It will be interesting to see how this right will be read in the Indian context.

[2] Rule 3, Information Technology (Intermediaries Guidelines) Rules, 2011

No comments:

Post a Comment