French Court ordering Selfie-Takedown

From the Maw-Law Blog: “On December 12, 2015, Brahim Zaibat, a dancer and choreographer, posted on social media a selfie he had taken two years ago, showing him in an airplane, just a seat behind the one where Jean-Marie Le Pen, the honorary president of the French National Front, had fallen asleep. …” Read more at: http://www.maw-law.com/uncategorized/selfie-privacy-freedom-speech-collide-france/

CJEU is asked to rule on the ‘Right to be Forgotten’ again

The Italian Supreme Court recently asked the CJEU for a preliminary ruling on two questions regarding the ‘right to be forgotten’.

[Disclaimer: this information is loosely translated from official documents published by the Dutch Ministry of Foreign Affairs. The original request can be found here [it]. The CJEU’s documents folder (still empty at the time of writing) can be found here.]

Facts & Procedure (Case C-398/15 – Manni)

The original plaintiff (Salvatore Manni)’s business had gone bankrupt in 1992. This was added to a public Company Register, managed by the defendant (Camera di commercio di Lecce). Plaintiff argued he (his business of selling houses in particular) suffers damages and requested defendant to anonymise his name or restrict access to the register. Defendant stated that the ‘Companies Register’ is a public database with the primary function of informing (on request) about relevant information of companies. The case escalated all the way to the Italian Supreme Court (Corte Suprema di Cassazione), which referred to questions to the CJEU.

Questions referred

The Italian Court essentially wonders whether information legally consigned to (and made public by) the defendant, can be erased, anonymised or access-restricted after a certain time. The Court does point out the importance of the public Register (for legal certainty). Referring to the Google Spain Case (C-131/12), the Court asks not whether the information should be erased from the Register, but whether limits should be put as to the (further) use of this public information by third parties.

  1. Does Article 6(1)(e) of the Data Protection Directive supersede the making public through the company register as commended by Directive 68/151/EEG and corresponding national legislation, to the extent that the latter requires that anyone should have have access to the personal data in the register without restrictions?
  2. Does Article 3 of Directive 68/151/EEG allow, in contrast with the rule that the Company Register saves public information for an indeterminate time and can be consulted by anyone, the information to be made no longer ‘public’, though still available to a specific group, and this to be decided on a case-by-case basis by the Register’s manager?

Relevance

The underlying facts in this ‘Manni’ Case, are strikingly similar to the ones in the Google Spain Case. Instead of focusing on the third-party, however, the CJEU is now asked to evaluate the obligations of the original publisher. In Google Spain, it was already decided (by the national DPA) that the original publication could not be touched before even reaching the CJEU. In the Manni Case, the original source also has a legal obligation to publish. Yet, it is not asked to remove personal data from the source altogether. Only whether the source can be asked to make it less accessible. This raises very interesting questions – left unanswered in Google Spain – as to the obligations on the shoulders of the original publishers and different degrees of publicity.

To be continued…!

Court of Justice Finally issues Judgment in Google Spain Case (C-131/12)

*This BlogPost is based on a piece written for the LSE Media Policy Blog and Internet Policy Review*

 

The Court of Justice of the European Union (CJEU) finally released its long-awaited judgment in the Google Spain (C-131/12) case. In short, the Court decided that individuals do have a right to request search engines to remove links to webpages when the individual’s name is used as a search query. This ruling cannot be overturned and is now referred back to the national court. Theoretically, it is still possible for Google to take this case to the European Court of Human Rights (based on article 10 ECHR) once the national Court makes a final decision.

Although the Case is often referred to as the Right to be Forgotten Case, it does not hinge upon the similarly named provision in the proposed Data Protection Regulation. Instead, the main legal basis in this decision was the Data Protection Directive 95/46 (hereafter: ‘the Directive’), including the rights to object (art.14) and to erasure (12(b)). The case is particularly interesting because it lies at the intersection of data protection law, freedom of expression and (a detailed discussion on this interaction is available here).

 FACTS

The facts of the case concerned a Spanish citizen who was subject to bankruptcy proceedings in the nineties. Spanish law dictated that links to the public auction following this bankruptcy were published in a local newspaper (LaVanguardia). In the late 2000s, the citizen discovers that links to this newspaper article appear as the top results when entering his name into Google’s search engine. All requests directed to the newspaper to takedown – or at least anonymise – the respective article were unsuccessful. After all, it had the legal obligation to publish the information in the first place. The Spanish data protection authority did rule, however, that Google should take down links to the article when entering the individual’s name. The search engine appealed to this decision and the case was brought before the Audiencia Nacional, which in turn referred three questions to the Court of Justice of the EU for a preliminary ruling.

Last June, Advocate General Jääskinen already issued an Opinion in this case, which in turn sparked a lot of academic debate. In this Opinion, the AG concluded that data subjects do not have a right to erasure vis-à-vis search engines with regard to information, published legally on third parties’ web pages (§.138 of the Opinion).

 

FIRST REACTION

Given the complexity of the case and the nuanced wording of the decision, it will take many readings to form a more definitive opinion about this ruling. However, here are my first thoughts.

The CJEU was asked to answer three main questions, relating to (1) the territorial scope of the Directive; (2) the material and personal scope of the Directive; and (3) whether or not data subjects have a right to object/erasure when it comes to search engines directly.

Scope of Application

With regard to the first two questions, the Court was rather straight-forward. To the extent that ‘the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State’, the processing falls within the territorial scope of application of the Directive (art.4(1)a) (§.60).

Given the fact that search engines ‘collect’, ‘retrieve’, ‘record’, ‘organize’, ‘store’ and ‘make available’, they do process personal data, and thus fall within the material scope of application of the Directive (art.2(b)) (§.28-29).

The Court also specified that search engines’ activities can be distinguished from (and are additional to) those carried out by the original publisher(s). Hence, they should be considered controllers (art.2(d)) (§.41).

 

Right to be Forgotten?

The third category of questions that was presented to the CJEU, related to the so-called right to be forgotten and constitutes the most controversial aspect in this case. Some of the key issues are:

  • Limited scope of the judgment

First of all it is important not to overemphasise the impact of this judgment on the right to freedom of expression (art. 11 Charter; art.10 ECHR). In this particular case, the request related specifically to the link between using an individual’s name as a search query and the search result referring to a particular webpage. In other words, even if the request is granted, the same webpage can still be reached through other – maybe more relevant – search terms.

  • No obligation to delete, but an obligation to balance

One should not conclude that any individual can now request search engines to delete links to webpages when their name is used as a search term. Instead, such requests will still have to comply with the requirements under article 12(b) (right to erasure) and/or article 14 (right to object). Put briefly, these provisions require a balance to be made between opposing rights and interests (§.74; 76). Hence, the plaintiff will have to substantiate his/her request and upon receiving such a request, the search engine will have to make the necessary balance. If the search engine does not grant the request, the CJEU specified that ‘the data subject can bring the matter before the supervisory or judicial authority so that it carries out the necessary checks’ (§.77). In other words, search engines are not obliged to comply with takedown requests, unless a supervisory or judicial authority issues them.

  • Independent responsibility of Search Engines

This observation ties back to the personal scope of the Directive. It was emphasised throughout the judgement that Google’s activities can clearly be distinguished from those of the original publishers. The potential harm or negative consequences vis-à-vis the data subject will in many cases not result from an obscure publication in a local online newspaper, but rather from the widespread (and often decontextualised) availability of the information through search engines. A logical consequence is that even though the original content is published lawfully, data subjects will still be able to request the removal from search engines directly. It is important to distinguish this from potential requests directed to the original publisher (e.g. to remove or blur out his/her personal data) (§. 39).

  • Over-responsibilisation?

Upon first reading, one could claim the judgment puts to big a burden on search engines. After all, paragraph 38 specifically states that the operator of a search must comply with all the requirements in the Directive. It goes without saying that subjecting search engines to the full application of the data protection Directive, gives rise to considerable concerns. On the other hand, the judgment does specify that search engines only need to comply with the Directive ‘within the framework of their responsibilities, powers and capabilities’ (§.38; 83). It is still too early, however, to predict how this will play out in practice.

  • Presumption that data subject’s rights trump all others

One of the most important concerns I have at this stage, concerns the Court’s presumption that ‘data subject’s rights […] override, as a general rule, the interest of internet users…’ as well as the economic interests of the search engine operator itself (§.81). In other words, it seems that the court suggests an imbalance of interests should be presumed, favouring privacy interests over all others. However, the Court does seem to nuance this by stating the balance might depend on the nature of the information, its sensitivity, the interest of the public, the role of the relevant individual in public life, etc. Needless to say that this wording is not conducive to legal certainty.

Implications

Today’s ruling by the Court of Justice in Google Spain undoubtedly raised many eyebrows. Surprisingly it almost entirely goes against the Opinion of the Advocate General issued in June 2013. Nevertheless, it is still too early to draw general conclusions from the judgement. Even though at first glance it seems to considerably threaten freedom of expression/information interests, much of the wording seems to be very nuanced and limited in scope when looked at more closely. Additionally, the decision is entirely based on the existing legal framework (Directive 95/46). It is hard to predict how the judgment will interact with the future data protection Regulation, which is already being drafted..

Hosting Platforms after the Italian GoogleVideo Case – Data Controllers or not?

In its long awaited judgement, the Italian Supreme Court ruled that Google Video could be not be deemed a data controller with regard to the videos it hosts on its platform. As a result, they cannot be held responsible for the dissemination of these videos. The Court specified that the rules ‘presuppose actual decision-making power over (a) the purposes and means of the relevant processing (dissemination to the public); and (b) the balancing between different rights and interests at stake. It can be deduced from the existing framework that this decision making power depends on the existence of actual knowledge. In other words, Google Video only becomes responsible (data controller) from the moment it is made aware. This interpretation, the Court explained, is in line with what is written down in the eCommerce Directive (exemption of hosting providers and no general obligation to monitor, artt.14-15).

It is worth saying, however, that many processing activities are relevant in this context. The dissemination of the video (containing personal data) is one processing activity, for which the uploader should be considered controller. But, besides this, the video (and hence the personal data contained within) is potentially subject to many other processing activities as well (analysis for behavioural marketing purposes, facial recognition, etc.). With regard to this second strand of uses of the data, a strong argument can be made for the hosting platform to be the data controller. After all, they are determining the purpose and means of these specific activities.

Because in the case at hand, it was mainly the activity of dissemination that was objected to, the original controller bears primary responsibility. But this should not overshadow the responsibilities of hosting platforms (and the like) for the plethora of other processing activities the data is subject to.

Sources:

Hacking your Smart TV…

Last summer, at Blackhat 2013, a Korean researcher presented the vulnerabilities of increasingly popular ‘Smart TVs’ (>80million units sold in 2012). His slides can be found here.

The following aspects are particularly worth mentioning from a privacy law perspective:

  • Attractive target for hackers:
    • Low security
    • Always powered/connected
    • Camera + microphone much more attractive than smartphone (which is often on a desk, put away and moves around a lot)
    • Centrally located in household
    • Often many other antennas inside (Bluetooth, WiFi, etc.)
    • Presence of an App Store makes it easy to disseminate malware
    • Many different points for attack: physical, USB/other ports, remote control, broadcast signals, etc.
  • Issues:
    • TV is a Black Box
    • OS is very big
    • Very vulnerable for attacks via apps such as social networks
  • What can be done:
    • Hijacking TV programs
    • Key-Logging
    • Capturing TV screenshots
    • Sniffing network traffic
    • Stealing (financial) information
    • capturing camera/mic feeds
    • All of this can be done in good quality and 24/7 (researcher demonstrated that monitoring was still possible after user ‘turns off’ TV)

Yet another clear example of the need for creators of technology to take seriously the principles of Privacy by Design, Data Security and Data Minimisation… .

The French CNIL issues guidelines on how to get rid of PD in search results

There are basically two options, the CNIL explains:

  1. Approach the original website/uploader
  2. Downgrade search result(s)

In both situations, the site of origin is the primary entity to contact.

See: Comment effacer des informations me concernant sur un moteur de recherche ? – CNIL – Commission nationale de linformatique et des libertés.