EU Data Protection law:
a 'right to be forgotten'?
CHAPTER 1: INTRODUCTION
Introduction
1. The so-called 'right to be forgotten', as
it is generally but misleadingly known, is a remedy available
under data protection law, enabling a data subject to obtain from
the data controller the erasure of links to data which the data
subject regards as prejudicial to him or her. It is a right which,
in the European Union, derives from the 1995 Data Protection Directive
(the Directive).[1] That
Directive was given effect in the United Kingdom by the Data Protection
Act 1998.
2. Google was founded in 1998, three years after
the adoption of the Directive. In the twenty years since the Directive
was negotiated, the technology in the collection, storing and
availability of data has changed out of all recognition, and the
Directive is now generally admitted to be in need of radical revision.[2]
In January 2012 the Commission put forward proposals for a new
data protection package,[3]
and this came to our Sub-Committee on Home Affairs, Health and
Education[4] for examination
in the course of our normal scrutiny of draft EU legislation.
The negotiations on the new Data Protection Regulation and Directive
are continuing, and so therefore is our scrutiny.
3. On 13 May 2014 the Grand Chamber of the Court
of Justice of the European Union delivered a judgment[5]
interpreting Article 12 of the 1995 Directive, as it applies to
data on the web accessible through a search engine. This judgment
is having far-reaching consequences. Since the proposed new Data
Protection Regulation contains provisions which would provide
an even wider 'right to be forgotten,' we thought it useful as
part of our scrutiny to re-consider those provisions in the light
of the judgment, and in particular to advise the Government on
the line it should take in the course of the negotiations. We
accordingly carried out a brief inquiry. We did not issue a call
for written evidence, but we received from Google, the defendants
in the proceedings, a very helpful oral briefing. This had to
be off-the-record because it related to a large number of ongoing
legal proceedings. In public evidence sessions we received oral
evidence from the witnesses listed in Appendix 2. We also received
two pieces of written evidence. To all our witnesses we are most
grateful.
The wider context
4. The Court of Justice's ruling deals with distinct
legal issues which we explain fully in the next chapter. The ruling
does however illustrate how important it is not to consider these
issues in isolation; they raise broader considerations. As always
in the field of data protection, there are the competing claims
of the right to privacy and the right freely to give and impart
information. The right to privacy, emphasised by the Court, is
highly prized, and rightly so; yet, as Rt Hon Simon Hughes MP,
the Minister for Justice and Civil Liberties, said to us, we do
not want to close down access to information in the EU that is
open to the rest of the world.[6]
Professor Luciano Floridi[7]
warned us against attempting to place these rights in some sort
of hierarchical order: "one is better off by saying that
it depends on specific instances, contexts and practices, and
there is no useful, general way of establishing a priori what
comes first and what comes later, but only intelligent and wise
discernment".[8]
5. When considering this particular aspect of
data protection law we have been conscious, as we have throughout
our ongoing scrutiny of the data protection package, of the degree
to which modern technology has eroded the privacy of data subjects.
Once information is lawfully in the public domain it is impossible
to compel its removal, and very little can be done to prevent
it spreading. Where there is information about individuals which
they would prefer not to be widely known, they are wholly reliant
on those who know the information not to make it public, or to
publicise it further.
6. Data controllers have legal powers and obligations
under the general law, and more specifically under the Directive
and its implementing legislation. So do search engines, irrespective
of whether or not they are properly classed as data controllers.
They deal with a vast volume of personal data, and they make it
immeasurably easier to locate such data. This is greatly to the
benefit of their users. Usually it is also to the benefit of data
subjects, or at least not to their disadvantage. But there are
times when, leaving aside all legal considerations, a sense of
social responsibility, even of trust, leads to the conclusion
that data should not be publicised, and access to data should
not be made easier. This is an ethical dimension which may in
future need a further code of ethics, and which seems to be ignored
by people who too often pay scant regard to the feelings of those
concerned, and the consequences for them, when they publish information
which may be of interest to the public, but which there is no
public interest in publishing.
1 Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free
movement of such data (the 1995 Directive). This was
complemented in 2008 by Council Framework Decision 2008/977/JHA
on the protection of personal data processed in the framework
of police and judicial cooperation in criminal matters (the
Framework Decision). Back
2
See e.g. the Commission's summary in the Explanatory Memorandum
for its new proposals: "During the consultations on the comprehensive
approach, a large majority of stakeholders agreed that the general
principles remain valid but that there is a need to adapt the
current framework in order to better respond to challenges posed
by the rapid development of new technologies (particularly online)
and increasing globalisation." Back
3
Proposal for a Regulation of the European Parliament and of
the Council on the protection of individuals with regard to the
processing of personal data and on the free movement of such data
(General Data Protection Regulation) (COM 2012/11 final, Council
Document 5853/12), and Proposal for a Directive of the European
Parliament and of the Council on the protection of individuals
with regard to the processing of personal data by competent authorities
for the purposes of prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal penalties, and
the free movement of such data (COM 2012/10 final, Council
Document 5833/12). Back
4
The members of the Sub-Committee are listed in Appendix 1. Back
5
Google Spain SL, Google Inc. v Agencia Española de Protección
de Datos, Mario Costeja González (Case C-131/12, 13
May 2014). Back
6
Q34 (Simon Hughes MP) Back
7
Professor of Philosophy and Ethics of Information, Oxford Internet
Institute, University of Oxford. Professor Floridi has been
appointed as an external and independent member of the Advisory
Council set up by Google to help in their implementation of the
Court's judgment. Back
8
Written evidence from Prof Floridi (TRF004) Back
|