data-protection-and-cyberThe recent European Court of Justice ruling (available here) that effectively granted a Spanish national ‘a right to be forgotten’ has caused much stir as we wait to see precisely what implications this decision will have.  As expected, Google has reportedly received a flood of requests from people seeking to have their information removed from the Google search engine, including politicians, public figures and persons with criminal records.

Indeed, in response to the European Court of Justice’s ruling, Google has already taken steps to operationalise this decision, having now released an online form (available here) for users to submit requests and announced that it is forming a committee to advise on how best to implement the decision.

We have previously discussed this case and its implications for South Africa in an article first published in the Business Times (available here).  The case was instituted by Costeja Gonzalez, a Spanish national who lodged a complaint in 2010 with the Spanish information regulator.  The complaint was against a national newspaper and against Google Inc and Google Spain, with Mr Gonzalez complaining that when an internet user entered his name in Google’s search engine, the user would obtain links to pages of the Spanish newspaper from 1998 referring to attachment proceedings against him for the recovery of certain debts.  Mr Gonzalez requested that the personal data relating to him be removed or concealed because the proceedings against him had been fully resolved and the reference to him was therefore now entirely irrelevant.

The Spanish data protection regulator dismissed the complaint against the newspaper, but upheld the complaint against Google.  On appeal by Google to the Spanish high court, the high court referred the issue to the Court of Justice for a recommendation on how it should be addressed.  In a landmark decision, relying on Europe’s data protection legislation (“the EU Directive”), the Court of Justice effectively held that in general a data subject should have a right to have personal information relating to him or her removed from the list of Google results following a search of that person’s name.

This is the end of the road for Google insofar as the member states of the European Union are concerned, given that there is no higher court to which Google can appeal.  Although practically it is now for the Spanish high court to implement this recommendation, the indication from the Court of Justice is clear: Mr Gonzalez indeed has a right to have his past misdeeds in this particular case forgotten.

As we noted in our article in the Business Times, the crux of this ruling is that where it is found that the inclusion in the list of results displayed by a search engine contains information that appears to be inadequate, irrelevant or excessive in relation to the purpose for which it was collected and in light of the time that has lapsed (even if the information remains true and was initially lawfully processed), the information and links concerned in the list of results must be erased.  In such circumstances, the Court was satisfied that the right to privacy of a data subject overrides the economic interests of the operator of the search engine, as well as the legitimate interests that other Internet users may have in this information (although the Court did note that this may not be so in all cases, e.g. where the data subject is a public figure).

There can be no doubt that this ruling will impose onerous obligations on Google, as well as other search engines and internet publishers.  Indeed, it has been legitimately criticised for effectively prioritising the right to privacy over the importance of the free flow of information. And while this ruling has no binding effect in South Africa, it may well be of persuasive authority if a South African were to rely on the similar provisions in the South African Protection of Personal Information Act, 2013 (“POPI”) [pdf], when it comes into force, to try and achieve the same result for search engines and even Internet publishers.

There are two important implications of the ruling that are likely to influence regulators even outside of Europe: (i) that the Court was satisfied that it had the jurisdiction to make such a ruling despite the fact that Google Inc (being the Google entity responsible for its search function) is based outside Europe, on the basis that Google Spain was still an establishment of Google Inc; and (ii) in finding Google to be a controller (or “responsible party” in POPI-speak), the Court gave a broad interpretation to the key definitional terms with the overarching consideration being what it considered to be the provision’s objective – to ensure effective and complete protection of a data subject’s right to privacy.

Notably, POPI imposes similar obligations on responsible parties as that imposed by the EU Directive.  Of particular relevance, condition 2 of POPI provides that personal information may only be processed if, given the purpose for which it is processed, it is “adequate, relevant and not excessive”; condition 5 requires that a responsible party must take steps to ensure that personal information is “complete, accurate, not misleading and updated where necessary”; and condition 8 grants a data subject the right to request a responsible party to correct or delete personal information about the data subject  that is “inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully”.

What does the Google decision mean, however, for the South African media, who process reams of personal information on a daily basis as part of their reporting functions?  Fortunately for the media, section 7 of POPI contains an exemption which provides that POPI does not apply to the processing of personal information that is solely for purposes of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.

While this still places some restriction on the media and requires journalists to give serious consideration to the public interest in the publication of the personal information, it is nevertheless granted significantly more leeway than other responsible parties.  What will be required for this exemption to apply, however, is for the media codes of ethics to be updated to provide for adequate safeguards for the protection of personal information.  This means that our media regulators need to revisit, for example, the Press Code (available here) and the Broadcasting Complaints Commission Code (available here) to interrogate their compliance with this requirement.  This does not, however, protect other Internet publishers who are not members of the media bodies.  They will have to argue, for instance, that historical storage of true information about a data subject on their websites serves an important legitimate interest in freedom of expression and the maintenance of archives.

While the media has thus in principle been granted some reprieve from the obligations imposed by POPI, other responsible parties in South Africa are now left waiting to see when the legislation will come into force, after which they will have a one year grace period to get their house in order so that they comply with the requirements of POPI.  If the indication from the European Court of Justice is anything to go by, the one thing that is clear is that the way we protect personal information in a digital age is about to change dramatically.

This post originally appeared on the Musings on the Media blog and is reproduced with permission and thanks