In 1998 a Spanish newspaper published two articles on their website about the auctioning of two properties owned by Mario Costeja Gonzalez. The state forced the sale of the properties because of Costeja’s failure to honour his social security debts. Eleven years later, Costeja contacted the newspaper and asked them to remove the articles on their website, arguing that while the sales had been concluded a long time ago, typing his name into Google still returned links to the two articles.
The newspaper responded saying that they could not delete the articles, as they were there at the request of, and paid for by, the client: the Spanish Ministry of Labour and Social Affairs. Costeja contacted Google Spain asking for the links to be removed and the request was forwarded to Google headquarters in the US. Costeja then filed a complaint with the Spanish Data Protection Agency and the case went to the Court of Justice of the European Union. The court ruled that Google had to remove the links from the search engine.
This ruling caused quite an uproar and resulted in some very important consequences, one of which created the legal precedent and background for the right of erasure clause in the new EU General Data Protection Regulation (GDPR). (The clause was previously known as the right to be forgotten.)
Basically, the ruling gives individuals the right to request the deletion or removal of their personal data where there is no compelling reason for its continued processing. The conditions under which the right can be exercised are:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed (ie. otherwise in breach of the GDPR)
- The personal data must be erased to comply with a legal obligation
- The personal data is processed in relation to the offer of information society services to a child.
In addition, the ruling in favour of Costeja found that:
- Google, as the internet search engine, is responsible for the processing that is carried out on personal data published on its site
- Google Spain, a subsidiary of Google Inc, is based within the EU and therefore must comply with EU law
- The legitimacy of processing requires a balancing act between the interests of Costeja as the data subject and Google as the data controller. The Court held, that the processing of data which is “inadequate, irrelevant or excessive” (ie. not merely inaccurate) might also be incompatible with the European Data Protection Directive
The new EU GDPR comes into force in May 2018 and sets the rules that govern the privacy and data protection rights of EU nationals within, and outside of, Europe. It is one of the most comprehensive responses to the new data-driven digitalised world, and most of its contents are ground-breaking from a legal point of view.
As a result, controversies and legal challenges are likely to continue long after the legislation has come into force, with the right to be erasure expected to be one of the most contested and hotly debated issues. The objections range from the technical challenges of updating IT systems, setting up procedures and upskilling staff, through to subjective questions of a more philosophical nature, such as the right to privacy versus freedom of speech.
Critics of the new legislation (and there are many) claim that the regulation is dangerously close to impeding the right to freedom of expression. According to a study conducted by an independent American think tank, the principles of the right to be forgotten are in breach of the First Amendment of the Constitution of the United States and therefore inconsistent with US law. In Europe however, the right to individual privacy seems to take priority over diligent record keeping.
According to Google, as a direct result of the Costeja ruling, in 2014 they received over one million requests to forget links to pages on their website. It has removed about 41 per cent of them, with the majority relating to pages that showed personal information about private individuals, rather than public information about public figures. However, a company which receives such a request can challenge it, and has the right to turn it down if deleting the information impedes the exercising of the right of freedom of expression; if holding it is a legal requirement or in the public interest (like scientific research or statistical purposes); or there is a legitimate business purpose for holding the information. GDPR highlights these exceptional cases, but the continuous debate of what counts as “public interest” or “freedom of expression”, which is undoubtedly subjective, opens the door for challenges being taken to court. The balancing act between the rights of the individual (the data subject) and of the organisation holding the information (the processor) present a challenge within the regulations.
Regardless of where these debates go, companies collecting or processing data from EU citizens need to pay special attention and start preparing for when the right of erasure comes into force. For Google, for example, removing links to sites was not technically difficult, as it has enhanced its mechanism for dealing with copyrighted material. But for companies in different areas such as financial services, a number of whom operate on less advanced IT systems and have for years extensively collected massive amounts of data – at times without a business need for it, this might not be as straightforward.
To add further complexity, it is the responsibility of the company that initially collected the data to inform any third parties to whom the data has been transferred that it needs to be deleted. There is however, a bit of room for manoeuvre, and firms will have to use their own legal teams to weigh up whether exemptions should be sought depending on the industry, companies and individuals involved.
Once GDPR comes into force and the public becomes more aware of their rights, it is likely that there will be more requests to delete data. One of the main challenges for companies will be deciding which information is considered to be in the public interest or an expression of the freedom of speech and therefore not subject to the right of erasure, and which is private data and therefore needs to be deleted should a member of the public make such a request.
In short, there is no doubt that companies need to take the issue seriously and start analysing the data they hold, assessing its business purpose and ensuring they know how consent for holding it was obtained. They must also upgrade their IT systems and upskill their staff, so that any requests based on the right of erasure are dealt with in a timely manner and at a minimum financial or reputational cost. Failure to act and prepare now, will only mean more time and money spent dealing with the issue in the future.