In a world of increasingly sophisticated IT systems where organisations have multiple servers and utilise cloud based solutions to store personal data, the right to be forgotten has received a significant amount of publicity.
Under the Data Protection Act 1998, data subjects (the living individual about whom personal data relates) have certain rights. However, it does not contain a right to be forgotten. A number of the eight data protection principles, which are set out in the Act, include safeguards that mean information is not held indefinitely and the information that is held is not excessive but these rights stop short of amounting to a right to be forgotten.
The most relevant of the principles is principle five, which provides that personal data being processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. However, this is an obligation on the data controller - the organisation that controls the manner in which and the purposes for which personal data is processed - rather than a right for the data subject to request their data is erased.
In addition, section 10 of the Act sets out a right for data subjects to prevent processing of their personal data that is likely to cause damage or distress. The damage or distress caused must be substantial and unwarranted so this is a high threshold to satisfy.
The IT landscape has changed dramatically since the 1998 Act was implemented and many argue that the European framework on which the Act is based is now no longer fit for purpose in a society where the concepts of big data, cloud computing and social media are prevalent. In order to address this, a new European Data Protection Regulation has been proposed and is currently progressing through the European legislative process.
The Regulation, once implemented, will have direct effect in all EU member states. This means the Data Protection Regulation will apply without the need for any local implementing legislation and will largely replace existing data protection laws, including the 1998 Act. The Regulation has been drafted specifically to address the new privacy landscape and the challenges this poses.
In a recent high-profile case, the right to be forgotten was considered in the context of search results generated via Google. An individual in Spain made a complaint against Google Spain which was based on the fact that when the individual's name was searched against on Google, the result showed links to two web pages of a Spanish newspaper that referred to the individual and related to a real estate auction connected with proceedings for the recovery of social security debts.
The Spanish courts referred a number of questions to the Court of Justice of the European Union and particularly asked the Court whether an individual could require the operator of a search engine to remove links to the web pages publishing information about him that was prejudicial or that the individual wanted to be forgotten.
The Court held that the links should be removed where the processing of the personal data did not comply with the European Data Protection directive. The Court found that while the newspaper article was accurate at the time it was published, the Court's view was that the data was no longer necessary so should not be searchable by the name of the individual concerned. However, the Court did highlight that the right to have information removed had to be balanced against the interests of the public in being able to view the information.
The Information Commissioner's Office, in a blog issued shortly after the ruling, emphasised that this judgment was achieved under the existing data protection framework and that it does not create a "full or absolute" right to be forgotten. However, this case did mark a strengthening in approach and has firmly placed the "right to be forgotten" on the radar of many individuals.
While not all requests are accepted there is commercial pressure on search engines to avoid legal disputes on the issue. Statistics published by Google suggest that just under half of the several hundred thousand requests it has received have been accepted, but that is still a lot of work.
It is important to appreciate that the requirement is on Google to remove links to material from its internet searches and not to delete the web pages themselves. Google also only delinks for searches in the relevant European jurisdictions and not worldwide. There is currently a dispute between European authorities and Google over whether delinking should be global.
The right for some things to be forgotten and the ability to remove offending material from the internet are not new. Many jurisdictions including the US, where currently freedom of speech is seen as likely to prevent any US version of the right to be forgotten on information about spent criminal convictions, web pages that breach intellectual property rights can be removed. However, the right to be forgotten as developed by the European Court is much wider than these existing provisions.
In England & Wales the 2013 case of Halliday v Creation Consumer Finance Ltd shows that the Courts will try to give teeth to Data Protection-based rights. Halliday was awarded £750 for distress following a finance company providing incorrect data to a credit rating agency about him.
Drafts of the new Data Protection Regulation have set out a "right to be forgotten and to erasure" (which takes a number of slightly different forms). This is a substantial departure from the current position and poses a significant challenge for any organisation which holds personal data particularly electronically. The proposed right applies where one of the following grounds applies:
• the data is no longer necessary for the purposes for which it was collected or processed;
• the data subject withdraws consent (where consent was the basis on which the individual's data was processed) and there is no other legal ground for the processing of the data;
• the data subject objects to the processing of the personal data or the processing does not comply with the Data Protection Regulation for other reasons.
Clearly, this obligation is very broad and one which could be very time consuming for organisations to comply with. In addition, various influential bodies including the Information Commissioner have questioned the practicalities around enforcement of this right.
The Regulation is currently going through the European legislative process and if all goes to plan it is likely that the Regulation will be adopted in the summer of 2016 with a final draft being published at the end of this year/early next year. The European Regulation will have a two-year implementation period to allow organisations to assess their level of compliance and implement procedures to ensure they comply with the European Regulation.
Whatever form the right to be forgotten eventually takes, it is clear from the Google case and the degree of press coverage of this issue that the right to be forgotten represents a material improvement for data subjects in their right to privacy but poses significant practical challenges for organisations. It seems unlikely that a right to be forgotten will be removed from the final Data Protection Regulation so the statement "an elephant never forgets" is likely to be something of an historic statement for organisations faced with the challenge of permanently removing personal data of individuals from their systems on receipt of requests to do so.
Justin Tivey is a legal director in Bond Dickinson LLP's Insurance Group, and part of the firm's Data and Cyber Risks offering.
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons
The One X is already sold out at several retailers