[Brief summary of my presentation at the CPDP 2014 panel on “Timing the Right to be Forgotten”. Slides: See Below]
The panel took a really refreshing perspective on the Right to be Forgotten debate. So I was glad to take this opportunity to look more closely at what role ‘time’ actually plays in the legal framework relevant to the so-called ‘Right to be Forgotten’.
In short, the presentation aimed to identify some of the relevant legislations and case-law, with a particular focus on the general right to privacy and the data protection framework.
Terminlogical Issue – Over the past few years, the so-called ‘Right to be Forgotten’ seems to have been used as some sort of umbrella term to refer to different situations and different legal regimes (general right to privacy, right to personal portrayal, data protection, defamation, etc).
General Right to Privacy – When looked at in the context of the general right to privacy (8 ECHR), it is usually applied to shield individuals from being confronted with certain aspects of their past in a disproportionate, unfair or unreasonable way (classic example: ex-convict who is confronted with his/her past in the media, years after the facts). Because it is primarily invoked in situations where an individual’s personal life is publicly exposed, usually by the media, a careful balancing exercise with other fundamental rights will be imperative. One of the key criteria in making this balance will often be to look at how much time has passed. In the Österreichischer Rundfunk v Austria Case, for example, the ECtHR specified that the lapse of time since a conviction and release constitutes an important element in weighing an individual’s privacy interests over the public’s interest in publication. But, in another case, concerning the publication of a book by the private doctor of former French President Mitterand, the Court held that the lapse of time was an argument in favour of the public’s interests over the privacy and medical confidentiality protections of the ex-President.
Data Protection Law – When based on the data protection framework, the right to be forgotten – or rather right to erasure – seems to be more mechanical and straight-forward. At least in theory. Under the current Directive, the right can be invoked when the data processing “does not comply with the provisions of the Directive, in particular because of the incomplete or inaccurate nature of the data” (art.12). In other words, it looks like the data subject could invoke his/her right to erasure when the controller fails to fulfil its obligations or ignores data subjects’ rights. Keeping mind the concept of ‘Time’, three of the most relevant elements, probably are (1) the purpose specification and use limitation principle, (2) the need for a legitimate ground and (3) the data subject’s right to object.
The purpose specification principle actually constitutes some sort of benchmark against which the processing of personal data will be assessed over time. Besides having to be be specific and explicit, the purpose also has to be legitimate. It goes without saying that the legitimacy of the purpose of processing can evolve over time, depending on a variety of factors. On top of that, over time the personal data might become unnecessary, irrelevant or inadequate to achieve the original (or a compatible) purpose (for more information, check the Article 29WP Opinion 2/2013 on Purpose Limitation).
Secondly, the processing activities will permanently have to be tested against the legitimacy grounds in article 7 of the Directive. This is particularly relevant when the processing is based on the last legitimacy ground, which requires a careful balance to be made between all rights and interests at stake. These might, of course, evolve over time as well.
Thirdly, in principle the right to erasure can also be invoked when the data subject has successfully exercised his/her right to object. In order to exercise one’s right to object, it is necessary to put forward compelling and legitimate grounds (relating to one’s particular situation). It goes without saying that these grounds can include a variety of factors, among which time is one.
In the currently still pending Google Spain Case before the Court of Justice of the EU, for example, one of the primary arguments of the original plaintiff was the passing of time.The National Court explained that today, it is possible to create very detailed personal profiles in just a couple of clicks, with information that used to be difficult to find. The lack of territorial and temporal limitations to the dissemination of information constitutes a danger to the protection of personal data. The Court further specified that originally lawful and accurate personal data may become outdated overtime in the face of new events. Some of this information might actually generate social/professional/personal harm to the individual.
Finally, a few words about the draft Data Protection Regulation. Article 17 on the Right to be Forgotten and to Erasure – already rebranded to the pre-existing right to erasure – specifically aims to give (back) some control to data subjects over their data. Without wanting to go into detail on this provision (which does not add that much to the existing regime, but rather emphasises existing rights and obligations), it is worth highlighting that the article does refer to the concept of ‘Time’ in paragraph 7. This provision stipulates that the controller should “implement mechanisms to ensure that the time limits established for the erasure of personal data […] are observed.” The Regulation also requires these time limits are to be specified in the information provided to data subjects (art.14(1)(c).
Concluding. First of all, technology makes it ever more more easy to store and find old information. Just think of the digitisation of old archives, facial recognition, geo-tagging, etc. This trend evidently upsets an increasing amount of individuals. Depending on the relevant facts in each case, a number of legal frameworks might be used to request certain information to be removed. The general right to privacy seems to be particularly used in situations where private information is made public (again) by the media. From ECtHR (and national) case-law it can be deduced that the time-factor can either play in favour of removing the information (when deemed irrelevant, see Österreichischer Rundfunk v Austria Case) or in favour of keeping the information available (when entered in the public domain or when the information is of particular relevance in light of current events, see Aleksey Ovchinnikov v. Russia and Editions Plon v. France). In any case, it seems that from all legal frameworks that might be applicable, data protection law in particular constitutes an increasingly attractive route to take. Not only does it have a broad scope of application, but unlike most other regimes, it does not require falsehood, malicious intent or even widespread publicity
Regardless of what legal regime is used, it seems that in virtually all of these cases, a balance of interests and rights will have to be made. And in quite a few situations time will be a relevant factor to take into account. To give yet another recent example, it is worth referring to the Advocate General’s opinion in the DRI & Seitlinger Case before the Court of Justice (C‑293/12; C‑594/12), released just last month. In this Opinion, the AG explicitly claimed that the Data Retention Directive is incompatible with the Charter of Fundamental Rights. One of the reasons he put forward was that the Directive does not respect the principle of proportionality, in requiring data retention for up to two years. Although the Directive’s ultimate objective is perfectly legitimate, the AG argued, there is no justification for extending the data retention period anything beyond one year.
So, in short, it seems that the passing of time can be used to argue both ways – for or against removal. The importance of ‘time’ in determining the merits of removing information will be different in each individual case, but should not be overestimated either. Eventually, time will just be another factor in assessing the balance of rights and interests.