The “right to be forgotten”: privacy and online news

Recently, the Spanish Data Protection Authority (“Agencia Española de Protección de Datos – AEPD) ordered Google to delete links on its search engine to any website containing out of date or inaccurate information about individuals and, thus, breaching their “right to be forgotten”. Now, Google is challenging the AEPD’s order in a Madrid Court, since, in Google’s opinion, only publishers, and not search engines, may be deemed responsible for contents published through their websites and on the internet, thus only publishers should be forced to take action in order to guarantee users’ privacy and, especially, their “right to be forgotten”.

This decision raises new questions on the balance between the right to be forgotten, on one hand, and the freedom of speech and information on the other.

“Right to be forgotten” vs. right to inform

EU law recognizes to individuals a right to the protection of their personal data, meant as the right to actively control their own data (see article 8(1) of the European Convention on Human Rights (ECHR) and article 8(1) of the EU Charter on Fundamental Rights).

One component of such right is the right to be deleted or “to be forgotten”, i.e. the right of individuals to have their data no longer processed and be deleted when they are no longer needed for legitimate purposes. This is a specific expression of the “data minimisation principle”, in respect of which personal data should be processed only when strictly necessary.

However, the right to the protection of personal data, including the “right to be forgotten”, should be balanced with another fundamental right: the right of the press to inform, which also includes the right of individuals to be informed (see article 10 of the ECHR: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers”). In particular, although the press has a duty and right to inform the public, this right cannot be exercised in detriment of the individuals’ right to the respect of their private life.

Such balance is achieved under Italian data protection law. Journalists can collect, record and disseminate individual’s personal data without his/her consent only if the processing is carried out (i) in the exercise of the journalistic activity, (ii) for the sole purposes related thereto, and (iii) within the limitations imposed on freedom of the press to protect the individuals’ fundamental rights and dignity, with particular reference to materiality of the information with regard to facts of public interest (see article 137 of the Italian Data Protection Code – Legislative Decree no. 196/2003- and the Code of Conduct concerning the processing of personal data in the exercise of journalistic activities, annex A to the Data Protection Code).

The Italian Supreme Court further clarified the conditions press should comply with in order to lawfully publicize personal information: a) the objective truth of the information to be publicized; b) the public interest to the knowledge of such information; c) the formal fairness of the exposition; d) the relevance of the news publicizing personal information (decision of 9 April1998, no. 3679).

The Italian Data Protection Authority has also faced these issues in several decisions, highlighting the need for personal data to be made public only in so far as the information is essential in relation to public facts.

As an example, the press’ right to broadcast or make available through internet personal data of individuals facing criminal charges should be limited to the time of the relevant judicial proceeding. After a certain time has passed, such persons should have the right to prevent anyone from identifying them in relation to their criminal past, unless the data previously disseminated remain of interest due to supervened circumstances.

Google’s liability for links on its search engine

As mentioned above, AEPD ordered Google to remove from its search listings links to articles containing out of date or inaccurate information about individuals but Google, however, claims that a) it acts only as an intermediary, thus it cannot be held liable for any of the contents it indexes; b) the AEPD’s order should be issued against the publishers of the infringing information and not against search engines; c) deleting results would be a form of censorship. Now Google is fighting AEPD’s order in a Madrid Court. A final ruling on the case is expected in coming weeks or months, and if the AEDP’s order will be confirmed, Google might be forced to act on all such future requests immediately.

Also the Italian Data Protection Authority faced data protection issues concerning Google. An Italian citizen found that information on a criminal proceeding instituted against him/her continued to be available via Google’s search engine even though he/she had been acquitted of all the charges; this was due to the many cache copies and the various abstracts produced by the search engine, which provided a distorted image of his/her situation compared with the correct one shown on the source websites.

On 18 January 2006, the Data Protection Authority found Google Italy not subject to Italian data protection law, being such data stored in the US-based company’s server, and, thus, not processed by the Italian subsidiary which is not untitled to correct/modify inaccurate or out of date personal information. However, the Data Protection Authority wrote to Google Inc. at its headquarters in California – where the search engine servers are based – and called upon the company to devise solutions that could do away with persistence on the web of obsolete and/or inaccurate personal information even after such information had been amended at the “source websites” from which the relevant pages were extracted.

Whether Google is the right subject to address a request to “oblivion” or not, however, remains open. In fact, even if Google does not make certain results available anymore, this information could be still stored on servers and data bases of newspapers, and not be erased.

Recent initiatives on the “right to be forgotten” online

The issue of data protection has become particularly challenging in the online environment, where data are often retained without the person concerned being informed and/or having given his/her consent. For this reason, the EU is working on stronger data protection rules to give internet users more control over how websites use their personal information.

In particular, a Communication of the European Commission issued on 4 November 2010 (COM(2010) 609 final) emphasizes the need to review EU legal system on data protection in order to guarantee a high level of protection of individuals with regard to the processing of personal data in all areas of the Union’s activities and to clarify the right to be forgotten.

Moreover, the European Data Protection Supervisor (EDPS) recently suggested the codification of a “right to be forgotten”, since in the EDPS’ opinion such codified right would ensure the deletion of personal data or the prohibition to further use them, at the condition that these data have been already stored for a certain amount of time.

In France, on October 2010, on the initiative of the National Secretary for the Digital Economy, was signed a “Chart on the right to be forgotten” on the internet, to be subscribed on a voluntary basis. The Chart aims to enable individuals to protect their personal data published on websites and social networks.

Very recently the Italian Communication Authority, by launching a public consultation on the “net neutrality”, defined the right to be forgotten as a guarantee for the prejudice the individual could face in the event of diffusion through the internet, without duration limits, of his/her personal data.

Finally, the AEPD has made public recently that it may intend to file a request for preliminary ruling to the European Court of Justice, in order to assess whether Google – and not the webmaster of the site of origin – may be required to delete or block personal data in order to protect a person’s right to oblivion.

Such initiatives are symptom of a necessity to review the present legal framework for data protection, in order to ensure effective protection in an increasingly developing and globalised information society.