The European Court of Justice’s May 2014 decision to recognise and enforce a “right to be forgotten” for EU data subjects has been well documented recently in global media channels. Putting aside the merits of the public policy debate between freedom of speech vs individual privacy and where the line in the sand should be drawn, the decision is an interesting extrapolation of the requirements of existing Article 12 of the EU’s 1995 Data Protection Directive.
In a nutshell, EU residents can request data controllers (and now search engines, in the context of organic search result links) that have an EU presence (or sales office) that host their information (even where servers are located outside the EU) to remove links to their personal information that is “inaccurate, inadequate, irrelevant or excessive” unless the public interest prevails (or the search engine’s assessment of the public interest). The underlying premise of the current right of access in Article 12 of the 1995 Data Protection Directive is the “rectification, erasure or blocking” of data that does not comply with the directive particularly where the data is incomplete or inaccurate.
The right of a data subject to request access, correction and removal of personal information of data held by a processor or controller is a common principle within most national data protection laws. The ECJ seem to have added now added a relevancy or excessive test and the proposed new Article 17 of the General Data Regulation applies a “no longer necessary for the purposes for which they were collected or otherwise processed” and a consent withdrawal requirement.
Although this is an EU compliance issue and involves the usual EU mechanics of member nations implementing the directive into their domestic laws, it’s still a salient reminder to Asia Pacific companies processing or hosting data of the requirement under most data protection laws in the region to permit access, correction and updating of information. Implicit in this requirement, is the need to establish an external enquiry, correction and takedown process – so this would appear to set the future expectation of industry practice and compliance costs for online data businesses.
It is somewhat ironic that the consumer demand to be “forgotten” has already manifested itself in the new wave of social network sites that offer transient or perishable content postings (e.g. Snapchat, etc.)
This topic will certainly be in the “Watch this Space” category over the coming months as the first mover companies start to implement their compliance interpretation of this takedown and erasure process. It is an interesting development that may see the more popular search engines and social network sites assume public clearinghouse characteristics in addition to their primary search and linking functionality.
