Introduction

1.  The so-called 'right to be forgotten', as it is generally but misleadingly known, is a remedy available under data protection law, enabling a data subject to obtain from the data controller the erasure of links to data which the data subject regards as prejudicial to him or her. It is a right which, in the European Union, derives from the 1995 Data Protection Directive (the Directive).[1] That Directive was given effect in the United Kingdom by the Data Protection Act 1998.

2.  Google was founded in 1998, three years after the adoption of the Directive. In the twenty years since the Directive was negotiated, the technology in the collection, storing and availability of data has changed out of all recognition, and the Directive is now generally admitted to be in need of radical revision.[2] In January 2012 the Commission put forward proposals for a new data protection package,[3] and this came to our Sub-Committee on Home Affairs, Health and Education[4] for examination in the course of our normal scrutiny of draft EU legislation. The negotiations on the new Data Protection Regulation and Directive are continuing, and so therefore is our scrutiny.

3.  On 13 May 2014 the Grand Chamber of the Court of Justice of the European Union delivered a judgment[5] interpreting Article 12 of the 1995 Directive, as it applies to data on the web accessible through a search engine. This judgment is having far-reaching consequences. Since the proposed new Data Protection Regulation contains provisions which would provide an even wider 'right to be forgotten,' we thought it useful as part of our scrutiny to re-consider those provisions in the light of the judgment, and in particular to advise the Government on the line it should take in the course of the negotiations. We accordingly carried out a brief inquiry. We did not issue a call for written evidence, but we received from Google, the defendants in the proceedings, a very helpful oral briefing. This had to be off-the-record because it related to a large number of ongoing legal proceedings. In public evidence sessions we received oral evidence from the witnesses listed in Appendix 2. We also received two pieces of written evidence. To all our witnesses we are most grateful.

The wider context

4.  The Court of Justice's ruling deals with distinct legal issues which we explain fully in the next chapter. The ruling does however illustrate how important it is not to consider these issues in isolation; they raise broader considerations. As always in the field of data protection, there are the competing claims of the right to privacy and the right freely to give and impart information. The right to privacy, emphasised by the Court, is highly prized, and rightly so; yet, as Rt Hon Simon Hughes MP, the Minister for Justice and Civil Liberties, said to us, we do not want to close down access to information in the EU that is open to the rest of the world.[6] Professor Luciano Floridi[7] warned us against attempting to place these rights in some sort of hierarchical order: "one is better off by saying that it depends on specific instances, contexts and practices, and there is no useful, general way of establishing a priori what comes first and what comes later, but only intelligent and wise discernment".[8]

5.  When considering this particular aspect of data protection law we have been conscious, as we have throughout our ongoing scrutiny of the data protection package, of the degree to which modern technology has eroded the privacy of data subjects. Once information is lawfully in the public domain it is impossible to compel its removal, and very little can be done to prevent it spreading. Where there is information about individuals which they would prefer not to be widely known, they are wholly reliant on those who know the information not to make it public, or to publicise it further.

6.  Data controllers have legal powers and obligations under the general law, and more specifically under the Directive and its implementing legislation. So do search engines, irrespective of whether or not they are properly classed as data controllers. They deal with a vast volume of personal data, and they make it immeasurably easier to locate such data. This is greatly to the benefit of their users. Usually it is also to the benefit of data subjects, or at least not to their disadvantage. But there are times when, leaving aside all legal considerations, a sense of social responsibility, even of trust, leads to the conclusion that data should not be publicised, and access to data should not be made easier. This is an ethical dimension which may in future need a further code of ethics, and which seems to be ignored by people who too often pay scant regard to the feelings of those concerned, and the consequences for them, when they publish information which may be of interest to the public, but which there is no public interest in publishing.

2   See e.g. the Commission's summary in the Explanatory Memorandum for its new proposals: "During the consultations on the comprehensive approach, a large majority of stakeholders agreed that the general principles remain valid but that there is a need to adapt the current framework in order to better respond to challenges posed by the rapid development of new technologies (particularly online) and increasing globalisation." Back

3   Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM 2012/11 final, Council Document 5853/12), and Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (COM 2012/10 final, Council Document 5833/12). Back

4   The members of the Sub-Committee are listed in Appendix 1. Back

5   Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (Case C-131/12, 13 May 2014). Back

6    Q34 (Simon Hughes MP) Back

7   Professor of Philosophy and Ethics of Information, Oxford Internet Institute, University of Oxford. Professor Floridi has been appointed as an external and independent member of the Advisory Council set up by Google to help in their implementation of the Court's judgment. Back

8   Written evidence from Prof Floridi (TRF004) Back