The Internet Never Forgets: Google Inc.'s "right to be forgotten" EU ruling and its implications in Canada 

publication 

August 2014

Technology Bulletin
Karl E. Gustafson, QC, Ryan J. Black, Sharon E. Groom, Michelle Tam, Student-at-Law

In May of this year, the Court of Justice of the European Union ("CJEU") issued a groundbreaking decision for online privacy rights in Google Inc. v. Agencia Espanola de Proteccion de Datos ("Google v AEPD")1. The CJEU ruled that European Union ("EU") citizens have the right to require the erasure of inadequate, irrelevant or out-dated information from search engines, concluding that Google had an obligation to remove such data from its Internet search results. The ruling placed surprisingly onerous obligations on Google and sent shockwaves throughout the technology community. It raises significant implications for online privacy laws in the EU and questions of censorship and the limits on freedom of information. The privacy right at the heart of the decision has become widely known as the "right to be forgotten."

While Canadian privacy laws already give individuals the right to request their online information removed, it is unlikely, and may not even be necessary, that a similar right will emerge in Canada where search engine operators become responsible for protecting and removing an individual's personal data.

Background of Google v AEPD

Mr. Costeja Gonzalez, a Spanish national, filed a complaint in 2010 with the Spanish Data Protection Agency ("SDPA") against the publisher of a Spanish daily newspaper, La Vanguardia Ediciones SL, Google Spain and Google Inc.2 Mr. Gonzalez argued that Google's search engine returned query results of his name that linked to La Vanguardia's newspaper articles from 1998. These pages disclosed announcements from a real-estate auction related to the recovery of Mr. Gonzalez's social security debts.

The complaint asserted that Mr. Gonzalez had a right to privacy with respect to his personal information because the out-dated articles related to proceedings from 12 years prior that had been fully resolved. Mr. Gonzalez applied for an order that the original publisher (La Vanguardia) or the search engines (Google Spain or Google Inc.) be required to remove, alter or conceal the pages and his personal data such that the information no longer appeared in search results with his name.

The SDPA first rejected Mr. Gonzalez' claim in regard to La Vanguardia, ruling that the newspaper articles were legally published. But the SDPA agreed that Google Inc. and Google Spain must withdraw Mr. Gonzalez's personal information relating to those proceedings from its index and search results. Google brought an appeal to the National High Court of Spain who referred a series of questions to the CJEU, the highest court in the EU.

The Right to be Forgotten in EU

The CJEU's final ruling stems from the EU's highly protected privacy rights that are enshrined in the European Convention on Human Rights3and have been interpreted broadly by the courts. EU policies also explicitly protect individuals in the processing and publication of personal data.4 In 2012, the European Commission proposed even further sweeping online privacy protection regulations including a reinforced "right to be forgotten."5

In this context, the CJEU decision in Google v AEPD held that search engine operators such as Google are subject to EU data protection laws. The reasoning is that search engines collect, process and control data when automatically and systematically searching for information, then retrieve, record and organize the data, and finally process and disclose it to internet users. The CJEU held that EU citizens have the right to directly request that search engine operators remove hyperlinks of personal information that are "inadequate, irrelevant or no longer relevant, or excessive in relation to [the purposes for which they were collected or processed] and in the light of the time that has elapsed." However, this "right to be forgotten" is more akin to a right to digital obscurity since the actual content (such as in Mr. Gonzalez's case, the original publication by La Vanguardia) is not removed from the Internet, but merely the search provider's link to it is removed.

The CJEU recognized that the right to be forgotten must be balanced against a public interest right to know and access information. Therefore, determining whether links to web pages should be removed from a search engine's index will depend on (i) the nature of the information in question, (ii) the personal or sensitive relevance to a person's private life, and (iii) the public's interest in having access to this information. In an effort to strike the right balance, Google has created an advisory council to gather input and publish its findings.6

From a critical perspective, this decision establishes a heightened level of internet regulation in the EU that holds search engine operators responsible even though they are not the original publisher of information. Moreover, it creates uncertainty in practical implementation and risks imposing digital borders (for example, results about Mr. Gonzalez may be available in Canada or through other search engines that are not available through Google's European search results).

Furthermore, it is complicated by the fact—the troubling fact, according to access to information proponents and free speech advocates7 —that the onerous responsibilities of assessing and deciding upon the merits of requests to access information, and the added costs to develop and implement an appropriate policy, are left to search engine operators and not the original publisher. Facing uncertain liability, search engine operators may err in favour of removing information upon request even if the public has a legitimate right to know it. Whereas the original publisher seems to be the more appropriate target for correcting, updating or removing irrelevant, incorrect or excessive information.

Privacy and data protection concerns have taken centre stage since Edward Snowden, a former U.S. intelligence contractor, leaked details of U.S. surveillance programs.8 However, Google v AEPD contentiously prioritizes a person's right to privacy over the need to access data.

Online Privacy Rights in Canada

In Canada, federal privacy laws such as the Personal Information Protection and Electronic Documents Act ("PIPEDA") or provincial laws such as BC's Personal Information Protection Act govern individual privacy rights and regulate how private sector companies collect, use and disclose personal information.9

Canadian privacy laws already protect and allow individuals to govern the use of their personal information and image. Private sector companies cannot disclose personal information without consent unless it can be proven there is a legitimate public interest right to know. Individuals also have the right to expect any publication of their personal information to be accurate, complete and up-to-date. Consequently, PIPEDA gives individuals the right to request their online information removed by the original publisher if their consent is not given or if the information is not up-to-date.

The most comparable case to Google v AEPD in Canada is a 2011 decision, Crookes v Newton ("Crookes"), where the Supreme Court of Canada ("SCC") made a landmark ruling in the context of determining whether hyperlinks could constitute publication for defamation purposes.10 The SCC established that, when generating hyperlinks, search engine operators are not considered publishers given that hyperlinks are integral to the modern use of the internet and facilitating access to information.

Crookes is tremendously useful for distinguishing Canadian privacy laws from the EU "right to be forgotten:" since PIPEDA provides individuals the right to have their personal information removed by the original publisher, a "right to be forgotten" by search engine operators may not be necessary in Canada. Individuals in Canada also have the right to limit the use of their image online and to protect their reputation through copyright and defamation laws.11 Whether it is an improper use of a person's image for profitable purposes or the publication of defamatory material through anonymous blog posts, Canadian courts have upheld an individual's right to protect their privacy. Furthermore, the SCC's most recent privacy decision, R v Spencer,12 in June 2014 is another strong indicator of Canada's direction to protect internet users' privacy rights online. This decision held that there exists a reasonable expectation of privacy over one's own internet activities, such as browsing patterns or downloads.

While Google v AEPD does not set a legal precedent in Canada, there is no question that Canadian privacy commissioners will take notice as the case raises a key point of whether search engine operators can be held responsible for protecting and removing the personal data of persons.

Canadians' privacy rights with respect to information posted or gathered online are largely protected by existing laws, and the SCC has taken positions that seem to balance the right of privacy against both competing rights (such as the right to access information or the right to free expression) as well as the practicality of constantly evolving technology. However, the development of our privacy laws regarding information published online will continue to adapt in response to new challenges and subtleties of the use of information available on the internet, such as search engines' auto-complete and advertisements targeted to internet users as determined by their personal search preferences.

As such, while we do not have, and may not even necessarily need, a "right to be forgotten", Canadian companies that collect, use or disclose personal information may wish to review their practices to ensure that Canadians are given appropriate control over those activities as already required by Canadian privacy laws.

by Ryan J. Black, Éloïse Gratton, Sharon Groom, Karl E. Gustafson and Michelle Tam, Student-at-Law

1 Google Inc v Agencia Espanola de Proteccion de Datos (AEPD), (2014) CURIA c-131/12.

2 The Spanish Data Protection Agency is referred to in Spain as the "Agencia Espanola de Proteccion de Datos."

3 European Convention on Human Rights, Article 8

4 The Data Protection Directive 95/46/EC and General Data Protection Regulation

5 http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

6 https://www.google.com/advisorycouncil/

7 http://www.thestar.com/business/tech_news/2014/05/16/right_to_be_forgotten_ruling_lacks_balance_geist.html

8 Mr. Snowden has since been charged with two counts of violating the Espionage Act and theft of government property by the U.S. Department of Justice: http://www.theguardian.com/world/edward-snowden/

9 Personal Information Protection Act, SBC 2003 c. 63: http://www.bclaws.ca/Recon/document/ID/freeside/00_03063_01; Personal Information Protection and Electronic Documents Act, SC 2000, c 5: http://www.priv.gc.ca/leg_c/r_o_p_e.asp

10 Crookes v Newton, 2011 SCC 47: http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/7963/index.do

11 In British Columbia, the Privacy Act, RSBC 1996 c. 373: http://www.bclaws.ca/Recon/document/ID/freeside/00_96373_01, also creates a privacy tort where someone's name or portrait is used without license for the purpose of advertising or promoting the sale of a property or service.

12 R. v. Spencer, 2014 SCC 43: http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/14233/index.do


a cautionary note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2014