The internet has an unending memory that does not ever fade or forget; it stores all that was ever uploaded to it. Improved search algorithms make search engines capable of digging up all information about a person or event that was ever uploaded. Unfortunately, search engines do not yet have the ability to determine the accuracy or relevancy of a particular piece of information. Consequently, people have begun to realise that some information about them that the www carries may either be no longer relevant or something they would rather not have anyone know.
This apparent immortality of information on the web is making people assert their "right to be forgotten": they claim a legal right to get irrelevant news and/or other information about them deleted permanently from searches. This is becoming a question of primacy of two rights- the right to freedom of expression and information and the right to privacy.
Recently, one Mario Gonzalez (a Spanish citizen), claimed he had the right to not let information about his past be exposed in public domain especially if such information was no longer relevant. A ruling in his favour compelled Google to remove links to a 16-year-old newspaper article about the then bankruptcy of Gonzalez.
The case in summary: Gonzalez lodged a complaint with AEPD (the designated data protection agency in Spain) against La Vanguardia (a daily newspaper in Spain) and against Google Spain stating that whenever his name was entered in Google’s search engine, some old links also came up--specifically, an old report in La Vanguardia that mentioned attachment of Gonzalez’ properties and recovery proceedings against him. Gonzalez requested the newspaper to remove the article, as according to him, the matter was fully resolved many years ago and therefore, any continued mention of his name in that context was now entirely irrelevant.
AEPD ruled in favour of Gonzalez after it concluded that search engines are subject to data protection legislation because they index and process data. Google Spain appealed against the order before the Spanish National High Court, which in turn referred the case to the European Union (EU) Court of Justice.
The entire case was decided based on EU’s Data Protection Directive 95/46/EU, which is designed to ensure privacy of individuals and protection of all personal data collected for every individual especially as it relates to processing, using, or exchanging such data. This Directive stipulates that:
- Every person whose data is collected (“data subject”) should be notified when his data is being collected;
- Data should only be used for the purpose stated and not for any other purposes;
- Data should not be disclosed without the consent of the data subject;
- Collected data should be kept secure from any potential abuses;
- Data subjects should be informed as to who is collecting their data;
- Data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
In this case,the European Court primarily considered the right of an individual to access data to make corrections, demand corrections to any inaccurate data or seek removal of any irrelevant data.While addressing this core issue, the court also addressed ancillary issuessuch as the applicability of EU Data Protection Law against search engines whose principal locations are outside EU territories.
The court concluded that when conducting a search,search engines are, in fact, indexing, storing temporarily, and making available to internet users, information from the internet on the search topic and displaying it in a particular order. It held that this amounts to “processing of data”and that therefore, search engines can be regarded as “data controllers” as defined in the EU Directive on Data Protection. The court consequently concluded that when the search relates to a person or personal data, search engines are bound to follow the EU Directive on Data Protection.
Google’s branch and subsidiary entities in many countries have been established with the intent to promote and sell Google’s various services to residents of these countries. The court thus ruled that even if Google’s search engine activities are performed outside the territory of the concerned country, it will be considered as having taken place within the relevant territory. As such, Google (and other search engines that operate across national boundaries and generate revenue from each territory) are bound to follow the relevant data privacy rules.
Interpreting Article 12(b) and Article 14 of the EU Data Protection Directive, the Court concluded that Search Engines are obligated to remove from the list of results displayed based on the search made on a person’s name, those links to the web pages published by third parties or information relating to that person if the data subject (the person about whom the data is searched) requests for such removals even if the publication of those contents were legal.In arriving at its conclusion, the court heavily relied on the fundamental right to personal freedom and privacy and the European Union Directive.
It is worthlooking at this judgment from the perspective of Indian law.Article 21 of the Constitution of India provides protection of life and personal liberty. In Kharag Singh v State of Uttar Pradesh, R Rajagopal v State of Tamil Nadu and in many subsequent judgments, the Supreme Court of Indiahas reiterated the right to privacy as a fundamental right.
Recently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 made under the Information Technology Act obligates every company that receives, possesses, deals, stores, handles sensitive personal information to have certain privacy practices. Under Section 2 (o) of the Information Technology Act “data" includes representation of information, knowledge and facts. As per Rule 3 (b) of the above,financial data constitutes sensitive personal data. Hence, Indian law too holds news of past bankruptcy of a person as sensitive personal data.
Rule 5(6) of the above states that “Body corporate or any person on its behalf permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible.”
This entire matter is another possible area of conflict between fundamental rights such as the right to information, right to freedom of expression, right to knowledge etc with the “right to privacy”, whichis another fundamental right. Certainly the recent EU judgment will lead to a wider debate in India on the primacy of fundamental rights that are apparently in conflict.
The author is Partner at Fox Mandal & Associates, Bangalore, where he heads the Technology law practice. Views are personal. This article should not be taken as legal opinion or advice.