Today, the European Court of Justice (ECJ) handed down its decision in Google v. CNIL, dealing with the remit of the ‘right to be forgotten’ (RTBF). In short, the ECJ held that the operator of a search engine is not required to carry out de-referencing on all domain extensions of its search engine when dealing with a RTBF request. It is required, however, to carry out de-referencing on the versions of its search engine corresponding to all member states and take measures to protect the data subject’s fundamental rights. Though the decision was made under the former Data Protection Directive, it will have implications for data subjects under the General Data Protection Regulation (GDPR) as the RTBF was codified by GDPR Article 17.
Continue Reading Forget-me-not: Google v. CNIL defines territorial scope of the right to be forgotten
right to be forgotten
Get your update on IT & Data Protection Law in our Newsletter (Fall 2018 edition)
The Fall 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.
We provide updates on Facebook fan pages, the right to be forgotten, cease and desists by competitors under GDPR, spamming and customer satisfaction surveys, the German Network Enforcement Act, and more. The newsletter also includes…
The digital beyond: Facebook ordered to disclose circumstances around deleted profile
In the recent case of Sabados v Facebook Ireland [2018], the English High Court ordered Facebook to disclose the identity of a mystery individual who requested that the platform delete the profile of a deceased user of the platform.
Around six months after the death of Mr Mirza Krupalija, Facebook received a request from an individual to delete Mr Krupalija’s personal profile, as well as the page of his band. Facebook duly complied with this request, leaving his long-term partner, Ms Azra Sabados, “devastated by the loss of so much material”.
Ms Sabados made a subject access request to Facebook on the basis that some of that deleted information, (which included photographs, poems and messages between the couple) would have included her own personal data. In response to a subject access request, Facebook confirmed that the data from Mr Krupalija’s profile was no longer available and that it was not able to tell Ms Sabados who requested that her partner’s profile be deleted.Continue Reading The digital beyond: Facebook ordered to disclose circumstances around deleted profile
The High Court considers the right to be forgotten
On 13 April 2018, the High Court, in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), ruled against Google, in favour of two businessmen advocating for the right to be forgotten. You can find the full judgment here, but in this blog we explore the reasoning behind the Court’s decision.
Right to be forgotten/right to erasure
The Court of Justice of the EU confirmed the right to be forgotten as an existing right under data protection laws, in Google Spain SL v Agencia Espanola de Protección de Datos Case of 2014: 317. The right to be forgotten is made explicit in the EU General Data Protection Regulation 2016/679 (GDPR) text. Essentially, in the GDPR the right is an enhanced right of erasure. The right is not absolute, which means that a controller does not need to comply with the request if there is a legitimate reason for continuing to process the personal data.
Case summary
Two separate businessmen brought cases, which were consolidated. Each case centred on the reporting of business-related criminal convictions that were spent and over a decade old:
- NT1 was convicted of conspiracy to commit false accounting and tax evasion; and
- NT2 pleaded guilty to conspiracy to tap phones and hack computers of environmental activists who had made threats against him and his business.
Continue Reading The High Court considers the right to be forgotten
Get your update on IT and data protection law in our newsletter
The Winter 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.
We cover new case law on marketing consent, cookie consent, the liability of platform providers, employee data protection, sales of address data and the right to be forgotten. The newsletter also includes multiple recommended reads…
UK first: right-to-be-forgotten notice issued against Google Inc.
The UK’s Information Commissioner’s Office (‘ICO’) has published what appears to be its first public enforcement notice based upon “the right to be forgotten” against Google Inc. The “right to be forgotten” was introduced by the ECJ last year when it held that data subjects have a right to compel search engines to remove results linking to websites containing their personal information, if those results were outdated or irrelevant.
In the current case, Google originally agreed with the data subject’s initial right-to-be forgotten request, namely that its historic criminal conviction was no longer relevant, and removed the link. Unfortunately for the data subject, the removal drew more attention to the story causing new articles to be written, and Google refused to remove the subsequent links on the basis that they were relevant and in the public’s interest.
Continue Reading UK first: right-to-be-forgotten notice issued against Google Inc.
Search engine providers face tougher fines under proposed EU tiered fine system
A leaked draft proposal posted by StateWatch and created by the European Commission reports that most Member States appear to be in favour of introducing a three-tiered fine system for non-compliance with EU data protection rules. Under the proposal, which was revised as a result of the 21 April 2015 meeting, all Member States are required to implement a system which provides effective, proportionate and dissuasive penalties, and creates three levels of fines at 0.5%, 1% and 2% of an organisation’s total worldwide annual turnover.
The fine criteria is set out under Article 79a of the draft General Data Protection Regulation (the ‘GDPR’), and the amount of the fine will depend upon the nature, gravity and duration of the infringement. As examples, a fine of up to 0.5% could be levied against organisations that fail to respond to data subject access requests within the prescribed period, or that charge a fee for dealing with such requests. Failure to provide the correct information in response to data subject access requests, failure to be transparent about the purposes for processing individuals’ data, or breaches of the right to be forgotten principle may now lead to a fine of up to 1%.
Continue Reading Search engine providers face tougher fines under proposed EU tiered fine system
Italy Releases Draft Declaration of Internet Rights
Italy’s Chamber of Deputies has proposed a ‘Draft Declaration of Internet Rights’ (Declaration), acknowledging both the way in which the internet has changed interactions and the way it has erased borders, but also noting that the EU’s protection of personal data is a necessary reference for governing operation of the internet. The Declaration is now open to public consultation until 27 February 2015.
The aim of the Declaration is to establish some general principles to be implemented by national legislation. It consists of a preamble and 14 articles covering topics including the fundamental right to internet access, net neutrality and right to be forgotten.
In particular, there is strong emphasis on the protection of the individual from widespread monitoring. Article 9 of the Declaration, for example, states that restrictions on anonymous communications “may be imposed only when based on the need to safeguard the public interest and are necessary, proportionate, and grounded in law and in accordance with the basic principles of a democratic society.”
This publication is not the first of its kind and follows the German Bundestag committee work on the ‘Digital Agenda’, France’s parliamentary committee report on Rights and Liberties in the Digital Age, and Brazil’s Marco Civil.Continue Reading Italy Releases Draft Declaration of Internet Rights
European Commission and EU Art 29 dispel the myths on the ECJ’s decision in Google Spain
In May 2014, we reported on the implications of the landmark decision in Google Spain which recognises the right for individuals to have links about themselves de-listed from search results. In response to the complaints received, the Article 29 Working Party (Art 29 WP) published a report on work being carried out to handle complaints,…
EU Art. 29 Releases Guidelines on the Right to be Forgotten
In November, the Article 29 Data Protection Working Party (Working Party) released guidelines as to how the Data Protection Authorities (DPAs) assembled in the Working Party intend to implement the judgment of the Court of Justice of the European Union (CJEU) in the case of Google Spain SL and Google Inc. v Agencia Española de…