Tony Conaghan

Forget-me-nets – the right to be forgotten on the web?

Tony Conaghan

24 July 2014

Confidentiality and Privacy

Some recent and interesting developments in Europe concerning the droit d’oubli  – the right to be forgotten, have prompted the Australian Federal Government to consider whether additional Australian Privacy Principles ought to be contemplated and applied.

No rain on the (private) plain in Spain…


In 2010, Mr Costeja González (a Spanish national) lodged a complaint with the Spanish Data Protection Agency (SDPA) against Google Spain and Google Inc. (together, Google) as well as La Vanguardia (a Spanish newspaper).  Google, upon a search for Mr Costeja González’s name, displayed links to two of La Vanguardia’s newspaper pages, published in January and March 1998 which contained an announcement for the auction of real estate following proceedings to recover social security debts.


Costeja González requested that La Vanguardia remove or alter the newspaper pages displayed to ensure that his personal data was no longer available.  He also requested that Google ensure his personal data no longer appeared in search results and links, on the basis that the proceedings to recover his debts had been long resolved so that the information being published was now irrelevant.


While the SDPA found La Vanguardia’s publication to be lawful, it upheld Mr Costeja González’s complaint against Google, requiring Google to withdraw the data in question, and render future access to it impossible.


Google appealed to the Court of Justice of the European Union (CJEU) to annul the SDPA’s decision.  Some essential aspects of the decision include:


  • The CJEU’s finding that Google (amongst other things) collects, organises and makes data available – actions which comprise data processing, within the meaning of the relevant European Directive.  This is despite the material having already been published in the media.


  • The CJEU also held that Google is classified as a ‘controller’ of the data processing, so its activities are additional to those of website publishers and can therefore discretely affect an individual’s rights to privacy.


Google’s obligations to erase information can therefore (in Europe) operate independently of a website operator’s obligation to remove it from a web page.  An essential aspect to this is the fact that Google’s provision of a list of results facilitates the interconnection of multiple pieces of information about an individual’s profile, which would otherwise be more challenging to obtain.


Meanwhile, in Australia…


While this approach would seem to impose far stricter obligations on Google than the law in Australia has done so far, some recent developments on the home front indicate some further developments in relation to information provided by the relevant individual (not third parties).


The Federal Government’s Australian Law Reform Commission (ALRC) released a discussion paper in March 2014, titled ‘Serious Invasions of Privacy in the Digital Era’.


The paper acknowledges that the longer information which represents an invasion of privacy is available, the greater its capacity for harm – a function of today’s digital era.


The ALRC has therefore recommended a new Australian Privacy Principle which would allow an individual recourse to a simple mechanism to request destruction / de-identification of personal information provided to an entity by the individual.  According to this proposal, the APP entity (as defined in the Privacy Act 1988 (Cth) – the Act) would then be required either to comply with the request within a reasonable time, or provide the individual with reasons for its non-compliance.


This recommendation is distinct from the European Directive, in that it does not facilitate requests for removal of information posted by others about an individual.


The proposed Privacy Principle both complements the already-existing Privacy Principles, and empowers individuals to request that their personal information be corrected.  It also triggers an APP entity’s obligation to delete personal information, where an individual requests this and the information is no longer required for a specific purpose set out under the Australian Privacy Principles.


Importantly, recourse to enforcement mechanisms is available where an individual is of the opinion that an APP entity has failed to comply with its request.  These include making complaints to the Office of the Australian Information Commissioner (as the failure to comply would constitute interference with privacy under the Act) and in the case of serious or repeated failure to comply, civil and possible pecuniary penalties.


The paper also discussed the potential merit in establishing take-down mechanisms by which an individual can apply to have information provided by a third party removed from a website.  Among the benefits discussed are the fact that this mechanism would, conceivably, be more timely and cost-effective than obtaining an injunction for the removal of this class of information.


As is axiomatic to the nature of privacy law, the kernel of the issue in making determinations under proposed principles such as these, whether it be in Australia, Europe, or any other corner of the globe, is whether the breach of an individual’s privacy is sufficiently serious to warrant the infringement on freedom of expression and the public’s interest which the removal of the offending information represents.