Forthcoming ‘right to be forgotten’ cases and the interplay with the GDPR

With a number of high-profile claims against Google in the offing, practitioners and individuals alike are hopeful for guidance on the interplay between the application of the ‘right to be forgotten’ principle and the forthcoming introduction of the General Data Protection Regulation (GDPR).

Iain Wilson, managing partner of Brett Wilson LLP, considers the issues at hand.

What cases are on the horizon regarding the ‘right to be forgotten’?

The trial of the first English case to consider the application of the ‘right to be forgotten’ principle in the UK following Google Spain v Agencia Española de Protección de Datos (AEPD) Case C-131/12,

began in the High Court on 27 February 2018 [judgment is currently reserved]. In NT1 v Google LLC, the anonymised claimant is seeking an order requiring Google to delist search results (it having refused to do so voluntarily). The search results in question relate to the claimant’s conviction in the late 1990s for conspiracy to account falsely. Under the Rehabilitation of Offenders Act 1974 (ROA 1974), the conviction is ‘spent’. This means the claimant is not ordinarily required to disclose the conviction.

Similarly, the trial of NT2 v Google LLC was due to commence on 12 March 2018. The claimant in that action is seeking the delisting of results relating to a conviction for conspiracy to intercept

communications. This conviction is over ten years old and, again, spent.  The core issue in both cases is how the trial judge (in both instances, specialist media law judge Mr Justice Warby), will approach the issue of if and when convictions (and what type of convictions) can be ‘forgotten’.

The term ‘right to be forgotten’ is somewhat misleading because there is no absolute right—the court will have to be satisfied that there is no overriding public interest in the search results remaining available.

The outcome of the case is eagerly awaited by both practitioners and those seeking to suppress

adverse search engine results. Significantly, the Information Commissioner has intervened in the

trial, no doubt ready to adopt and apply any guidance that can be drawn from the judgments to her own regulatory reviews of Google’s decisions.

Many commentators believe the answer to the question is obvious—Google should be required to delist search results at the point when a conviction becomes spent. To allow search results to

appear prominently against a person’s name after a conviction becomes spent undermines the

purpose and functioning of ROA 1974, it being common practice for prospective employers (or any ‘interested’ party) to undertake a Google search on their subject.

Indeed, in the conjoined pre-trial review, Mr Justice Nicklen (also a specialist media law judge),

noted that there was nothing in fact new about the ‘right to be forgotten’ principle; its roots being in rehabilitation legislation and not data protection law. The judgment on the pre-trial review can be found here: NT1 v Google LLC [2018] EWHC 67 (QB).  NT1 and NT2 will also consider other matters, including whether Google is liable to pay compensation for results processed in contravention of data protection rights.

Secondly, a collateral claim is being brought against Google for the misuse of private information. The court will need to consider whether the act of returning search results is akin to publication and, if not, whether that matters in order to establish that it is misusing private information.

The decision in Metropolitan International Schools v Designtechnica [2009] EWHC 1765 effectively shut the door on defamation claims against search engine operators, by holding that they were not publishers. Many commentators have since questioned whether this case was decided correctly (it is perhaps odd that Google is a data controller, but not a publisher). NT1 will allow the court to look at this important issue afresh.

How will the right to erasure under the GDPR interplay with that ‘right to be forgotten’ arising under the chain of cases beginning with Google Spain?

The GDPR, which comes into force on 25 May 2018, is intended to strengthen the privacy rights of individuals. The ‘right to be forgotten’ will be codified in statute as a ‘right to erasure’. Again, the term is misleading as it will still not be an absolute right. Data controllers may continue to process if necessary for:

• freedom of expression

• compliance with member state law

• tasks carried out in public interest

• public interest in the area of public health

• archiving purposes in the public interest

• scientific or historical research purposes, or

• statistical purposes (if the individual right would make it impossible to carry out

objectives)

In theory, some significant changes are explained below:

The right to erasure is not limited to search engine operators. While this is already the case (the

underlying legislation EU legislation/Data Protection Act 1998 applies to all data controllers), the

GDPR makes it clear that all companies (including those not publishing information) will need to

comply with a valid ‘right to erasure’ request. Thus, one could make a ‘right to erasure’ request to, say, their old tennis club, requiring them to destroy all data held on them. The tennis club would need to justify why the data needed to be retained.

The burden for justifying the ongoing processing of personal data is effectively reversed. So, rather than a data subject having to establish they were suffering unwarranted damage and distress as a result of unlawful data processing, the data controller would have to demonstrate compelling grounds for continuing to process the data.

An individual will normally be entitled to request the erasure of information put in the public domain prior to reaching adulthood.

In practice, the above may make little practical difference to the approach search engines adopt.

One suspects Google will still send a standardised email when rejecting delisting requests stating

that ‘it believes there are compelling grounds for continuing to process your personal data’. Anyone making a ‘right to erasure’ request would normally still be advised to instruct specialist solicitors to set out the damage/distress the data processing is causing and pre-empt and rebut any potential

counterargument.

It is hoped that domestic legislation might provide a clearer framework for requests, although it is likely that interpretation will be left for the courts. Cases like NT1 and NT2 are likely to offer helpful guidance, but many delisting requests are very fact-specific.

To what extent will previous case law on ‘right to be forgotten’ (ie under Google Spain and

subsequent cases) under the Data Protection Directive still be relevant once the right to

erasure under the GDPR applies?

The core principle established in Google Spain, that search engine operators are data controllers,

will undoubtedly still apply. As the purpose of the legislation is to strengthen individuals’ rights,

arguably the scales should be tilted more towards the individual. Thus, those who have had ‘right to be forgotten’ requests refused, might be well advised to instruct specialist solicitors to make a new request once the GDPR is in force (and, perhaps significantly, following any guidance offered by the court in NT1 and NT2).

Insofar as case law post-Google Spain is concerned, there simply isn’t any yet. NT1 and NT2 may

well be the only cases decided pre-GDPR, and if they don’t like the outcome of the case, there is

seemingly nothing stopping them from having another go under the new regime.

Iain Wilson was interviewed by Jenny Rayner.  This article was first published on Lexis®PSL 

Brett Wilson LLP has extensive expertise in seeking the removal of outdated or inaccurate search engine results.  Click here to see how Brett Wilson LLP can assist you with maximizing your changes of a 'right to be forgotten' request succeeding, complaints to the Information Commissioner and/or claims against search engine operators.