In the last few weeks Google has lost two and won one case around the Right to be Forgotten.
This is a piece of legislation introduced by the EU that allows people to request links and references to them are removed from the Internet. Since it was introduced, millions of people have had references to them removed from search engines and websites. Google says that it has removed over 800,000.
Two of the cases were in the UK and one was in France. In the UK the cases concerned two individuals known as NT1 and NT2. They were heard at the same time by Mr Justice Warby.
In the case of NT1, the ruling was that the details were about a: “business crime, its prosecution, and its punishment. It was and is essentially public in its character. NT1 did not enjoy any reasonable expectation of privacy in respect of the information at the time of his prosecution, conviction and sentence. My conclusion is that he is not entitled to have it delisted now.”
Mr Justice Warby also went on to say that the details available were not shown to be inaccurate in any way and that NT1: “..has not accepted his guilt, has misled the public and this Court, and shows no remorse over any of these matters.”
The case of NT2 is different. He complained of links to 11 source publications. One of these was claimed to be inaccurate. The court accepted that the original conviction was considered spent and NT2 was a credible witness. Mr Justice Warby said: “NT2 has frankly acknowledged his guilt, and expressed genuine remorse. There is no evidence of any risk of repetition. His current business activities are in a field quite different from that in which he was operating at the time. His past offending is of little if any relevance to anybody’s assessment of his suitability to engage in relevant business activity now, or in the future. There is no real need for anybody to be warned about that activity.”
The case in France was reported by Bloomberg. It concerned an individual who, as a CFO, was fined for insider trading. The judges ruled that as he didn’t profit from the insider trading and was likely to lose his current job, some results should be removed. The key here is some results not all.
Bloomberg quotes the judges as saying: “Given his family situation, the loss of his job would cause him a very serious prejudice, especially given that it took him nearly two years to find a new job. In those circumstances, the public interest in having information with his name about this case doesn’t prevail.“
The difference between the cases in France and the UK is interpretation. Reading through the case of NT1, it is arguable that has his case been heard in Paris, he would have prevailed. Despite his failure to accept any guilt, he would, like for CFO, had almost certainly had success in getting some links removed.
Why is this important to companies?
There are several reasons why organisations need to take note of these judgements. Businesses are increasingly doing research about potential new hires through search engines. They also rely on industry bodies sharing data on individuals convicted of serious crimes and who have been banned or are restricted from operating in their industry. At the same time employment agencies as well as HR departments use search engines and social media to gain background on candidates.
At the moment, an individual has to approach multiple organisations to get details removed. This is why Right to be Forgotten cases tend to focus on search engines.
When GDPR comes into force on 25 May 2018, Article 17, Right of Erasure, will change that. It provides a list of tests that have to be applied when it comes to removing data. These are:
(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
These items are going to require organisations to do a lot more work in identifying and tracking information in order to remove it.
This is not just about data held by a company
Let’s look at a different case. Company officers are encouraged, even required to blog. In many cases they don’t write the pieces themselves. Some are written internally and some are commissioned externally.
A CEO publishes a story on social media, such as LinkedIn, or in a company blog. In that story the CEO mentions or links to a specific criminal case to make a point. The CEO has a large social media following who amplify the blog. At a later date, the individual concerned wants all references taken down and bring a Right to Erasure case. As shown above, the organisation must now take all measures to inform anyone who has linked to the piece that it should be taken down.
Article 17 states:
(2) Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The challenge here is that few companies maintain an effective list of who links to data that they publish. Many also don’t have mechanisms to track where they have acquired data from. The CEO may have kept their research and links to where they obtained the information. The likelihood is that they haven’t. Where the work is commissioned from an outside agency it is now reasonable to get a list of all links and references. A competent writer will have provided those with the piece but the company is still responsible for all forward links where others have reprinted or copied the blog.
Why does this matter
It’s easy to see this as something that is only going to happen to large organisations. It isn’t. Anyone thinking that they are immune and can publish publicly and even privately without any concern is mistaken. GDPR Article 17 paragraph (2) introduces a responsibility few are likely to be prepared to deal with.
There are exceptions of course. These are listed in paragraph (3) but they are open to interpretation.
(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
Most bloggers, writers and online news sources will assume they are covered as journalists. Google lost that case in the UK with regard to NT1 and NT2. In the press summary Mr Justice Warby said:
“Google cannot rely on the so-called “journalism exemption” in s 32 of the DPA. It has not processed these data for journalistic purposes, or alternatively not only for those purposes. Moreover, it has not adduced any evidence that it held a belief that compliance with the provision of the DPA, from which it seeks exemption, would be incompatible with such a purpose -.”
Company directors and employees publishing blogs on behalf of the company would have to rely on a) above. However, this will require a court case and incur costs that under UK law cannot be claimed back. Organisations need to consider if Public Indemnity insurance covers any costs.
Between now and 25 May 2018, it will be interesting to see how many organisations review their historical content.