They call it ‘derecho al olvido.’
“The data subject may oppose the indexing by a search engine of personal data relating to him where their dissemination through the search engine is prejudicial to him and his fundamental rights to the protection of those data and to privacy…[and] override the legitimate interests of the operator of the search engine and the general interest in freedom of information.”
In other words: the right to be forgotten. But how extensive is that right?
The European Court of Justice ruling, whereby they found that a Spanish man does, indeed, have the right to use the law to suppress information about him that pops up about him in Google, has bumped an otherwise theoretical issue to the forefront of an international debate over where a user’s right to privacy begins and ends.
Last week, the European Court of Justice issued its preliminary ruling in what will surely be considered a landmark privacy case, Google Spain SL v. Agencia Espanola de Proteccion de Datos. The Court was asked to interpret privacy directives that have existed in the European Union for nearly two decades, and which have been rooted in other aspects of European law for even longer. The ECJ held that EU data subjects can compel Google (and other online search engines) to remove search results linking to websites containing personal information about them.
But as Richard Stobbe, an associate with Field Law in Calgary, puts it: “it's a complaint-based regime.” To that end, he says the idea of this power being a ‘right’ is sort of a misnomer. “The ‘right’ may be subject to the interpretation by a Google employee, considering all these different criteria that the EU decision has listed,” he says. So the power is not absolute. Whomever is listing, or controlling this information still has to make a judgment call regarding the fair and lawful use of the information, and whether it’s excessive or out of date. In other words, Stobbe says, there’s “scope for disagreement.”
But while this may sound all very European, the case has huge implications for Canada. That’s because, to some degree, we might already have the right to be forgotten.
In 2002, the European Commission recognized the Canadian privacy regime — thanks to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) — as being ‘adequate,’ or, effectively, on par with the EU’s.
As an EU press release put it at the time: "this decision will simplify procedures for the transfer of personal data between Europe and Canada and ensure that EU businesses know where they stand legally, whilst making certain that such data enjoys adequate protection.”
PIPEDA affords Canadians the right to have their data retained for a maximum amount of time. In effect, we have the right to be forgotten — eventually.
John Beardwood, a partner at Fasken Martineau, points out that that Canadian law affords us the right to be forgotten — “only after your retention period is expired” — but how does that match up with what the Europeans have just ruled? Namely, if the European Commission figures Canadian law to be inadequate in that regard, might the EU downgrade our standing and cause headaches for companies who share data across the Atlantic?
Beardwood says it’s “unlikely,” only because he’s not sure that the European’s plan is feasible. “I’m not sure it makes sense.” Beardwood says.
On one hand, he says, allowing users to merely remove their information from a search engine isn’t real privacy — it’s the illusion of it. The right to be forgotten really includes the ability to have the data-holder give up your information entirely — taking a hammer to a hard drive out back, if need be. That logical extension has issues, though, as the power to scrub information about yourself that you can have “immediately activated” can put companies in the lurch if they ever face litigation on the matter, he says.
Here in Canada, the latter option is technically afforded under PIPEDA, but it’s a toothless clause.
The law affords Canadians the right to withdraw consent to have their data held by a corporation. However, that doesn’t mean a whole lot — the Act does not expressly provide users with a recourse to have their data deleted once they withdraw that consent. While companies must have policies in place regarding the destruction of personal information, there is no clear way for users to request it be done. Technically, the Privacy Commissioner oversees their revoking of consent, but the decision to comply with the request is largely voluntary.
If we turned away from that dead end and emulated the European regulations — following a complaint-based process — it would open up vast questions of free speech and freedom of information.
“I don’t think it’s limited to something that you, yourself, put out,” Beardwood says. “So much of the personal information available about ourselves are not things that we’ve put out about ourselves, it’s things other people have generated.”
Is that information subject to the right to be forgotten? And if so, could it include items like news stories or credit reports?
Regardless, Beardwood says the ECJ decision will have a practical impact on outside jurisdictions.
Many corporations today are far from compliant with hosting data rules — the sheer logistics of enforcing PIPEDA’s data retention requirements, especially given the Privacy Commissioner’s limited resources, make the provision virtually unenforceable. Giving users a formal recourse to request their data be taken down “is going to push us further along the spectrum,” says Beardwood.
Provincial legislation scattered across the country doesn’t offer too much more in the way of enshrining the right — they, to varying degrees, back-up the hardly-enforced federal requirement that data retention be a short-lived affair.
To that end, he says, the European move towards taking down information — effectively what the Americans have done to suppress illegal music sharing with the Digital Millennium Copyright Act — isn’t really ‘forgotten.’ He says that real privacy includes the power to have corporations fully remove all of your personal information from their servers. Creating a proper channel to make that request is a good first step.
If PIPEDA’s retention period were truly enforced, he says, it would really empower Canadians with the right to be forgotten.
Also, there are compelling business reasons to delete this information, says Beardwood. PIPEDA establishes a trustee relationship between the user and the corporation hosting their data. Even if the user no longer uses the service, the data-holder is still legally responsible for the security of that data. Deleting the information of former users, after a reasonable length of time, limits the corporation’s liability in the case of a breach or a hack.
So while the right to be forgotten might not be here yet, it may not be far off