The so-called ‘right to be forgotten’ (hereafter “RTBF”) is an often trumpeted aspect of the GDPR; it is an important right, but one that is rather more restricted in nature than is understood. The RTBF is not a new right within he GDPR, but has foundation within current data protection law and practice. On 13 March 2014, the Grand Chamber of the Court of Justice of the European Union gave its judgment in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (“Google Spain”), which it has popularly been said created a ‘right to be forgotten’. The court did not, in fact, grant a right to be forgotten; instead, the court required search engines, such as Google, to consider requests from individuals to have links to webpages concerning them de-listed from Google search results in certain circumstances.
Fast forward to 13th April 2018, a little over 4 years since the decision in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT 2 v Google LLC [2018] EWHC 799 (QB); cases which both concerned the RTBF. NT1 and NT2 are both businessmen who were convicted of criminal offences. In respect of NT1, he was involved in a controversial property business in the late 1980s and the early 1990s (while in his thirties). In the late 1990s, while he was in his 40s, NT1 was prosecuted and convicted, after trial, of a criminal conspiracy connected with those business activities. He was sentenced to a period of imprisonment and his conviction has since become “spent”. In addition to the matters for which he was convicted, he was also accused of, but never prosecuted for, a separate conspiracy connected with the same business. Some of the businesses former staff were eventually convicted in relation to that separate conspiracy. There was media reporting of these and related matters at that time. Links to that reporting are made available by Google in its search results. On 28 June 2014, not long after the CJEU’s decision in Google Spain, NT1 made a de-listing request to Google in respect of six links. Google agreed to block one link, but not the other 5. Google stood by its position when NT 1 asked for them to reconsider their decision. In January 2015, a second de-listing request was made by NT1, this time through his solicitors. Google replied to that de-listing enquiry in April 2015, refusing it.
NT2’s case is quite separate from that of NT1; the two claims were tried separately, but were heard one after the other and involved the same judge and the same representation. NT2’s case has some similarity in terms of its facts and it raises similar issues of principle to that of NT1. While in his 40s and sometime in the early 21st century, NT2 was involved in a controversial business which experienced public opposition in relation to its environmental practices. NT2 pleaded guilty to two charges of conspiracy in connection with that business. This was “rather more than ten years ago” [para 7]. NT2 received a short prison sentence and spent six weeks in custody before being released; his conviction also became spent. On 14 April 2015, NT2 made a de-listing request to Google in respect of 8 links. Google declined to de-list any of the links.
Ultimately, NT2 was successful in obtaining orders requiring Google to de-list while NT1 was unsuccessful.
Journalism, literature and art exemption
Google had, in its defence to these claims, sought to place reliance upon the exemption in section 32 of the Data Protection Act 1998, which relates to “journalism, literature and art”. Warby J deals with this aspect of Google’s defence to the claims by the claimants in paragraphs 95-102 of the judgment. Warby J ultimately rejected Google’s reliance upon section 32 holding that the exemption did not apply in the first place; but even if it did, Google would have failed to meet the part of the test which is contained in section 32(1)(b). Warby J accepted that the EU law concept of journalism was a broad and elastic one which went beyond simply the activities of media undertakings and incorporates other activities which have as their aim the disclosure to the public of information, opinions and ideas. However, Warby J concluded that “the concept [of journalism] is not so elastic that it can be stretched to embrace every activity that has to do with conveying information or opinions. To label all such activity as “journalism” would be to elide the concept of journalism with that of communication.”
In Google Spain the CJEU was sceptical as to whether the exemption in Article 9 of the Directive (which is implemented through section 32 of the Data Protection Act 1998) would apply to an internet search engine such as Google. Warby J noted that this observation by the CJEU was not integral to its decision in Google Spain; however, concluded that “it is true”. Internet Search Engines do not, in the view of Wraby J, process personal data “only” for the purposes of journalism, literature or art.
In considering section 32 of the Data Protection Act 1998 Warby J concluded that there is a subjective and an objective element to each of section 32(1)(b) and (c). In relation to section 32(1)(b) Warby J concluded that the data controller had to have a subjective belief that the publication of the personal data in question would be in the public interest and this belief must be objectively reasonable. In respect of section 32(1)(c), Warby J considered that the data controller must prove that it had a subjective belief that compliance with the data protection principle(s) engaged would be incompatible with the special purpose and that belief must be one which is objectively reasonable.
Warby J explained in his judgment that if he was wrong in his conclusion that section 32 was not even engaged in this case, that he would have still rejected Google’s reliance upon it concluding that Google would have failed when it came to considering the test in section 32(1)(b). There was no evidence, Warby J concluded, that “anyone at Google ever gave consideration to the public interest in continued publication of the URLs complained of, at any time before NT1 complained” [para 102]
Schedule 3 of the Data Protection Act 1998
Clearly a great deal of the personal data at issue in these claims, being personal data relating to criminal convictions, is sensitive personal data (see section 2 of the Data Protection Act 1998). In order for processing of sensitive personal data to be in compliance with the first data protection principle, which requires personal data to be processed fairly and lawfully, the data controller must be able to rely upon one of the conditions in Schedule 3 to the Data Protection Act 1998 (in addition to one of the Schedule 2 conditions). This is an area where Google had a great deal of difficulty.
Warby J rejected most of the Schedule 3 grounds that Google sought reliance upon (see paras 107-109). However, in paragraph 110 of his decision, Warby J, decides that condition 5 in Schedule 3 was satisfied: “that “the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.” In reaching this conclusion, Warby J relies upon the decision of Stephens J in Townsend v Google Inc [2017] NIQB 81. In Townsend, Stephens J concluded that as a consequence of the principle of open justice, when an offender commits an offence, even in private, he deliberately makes that information public (see para 65 of Townsend). In NT1 and NT2, Counsel for the Claimants, Hugh Tomlinson QC, takes issue with the conclusions of Stephen J and Counsel’s arguments are set out briefly by Warby J towards the end of paragraph 110. Warby J concludes that, in his view, that the reasoning of Mr. Tomlinson was not sound.
I must confess that I have a great deal of difficulty with the reasoning of Warby J and Stephens J on this point. I struggle to see how the commission of an offence by an individual amounts to them taking positive steps to make the information public. The conclusions of Warby J and Stephens J do not seem to me to fit with the statutory language in the Data Protection Act 1998 nor the language of the Directive which it implements. Warby J considered that the language in Article 8.2(e) of the Data Protection Directive is “obscure”. It seems to me that the language of the Directive is the complete antitheses of “obscure” and that section 32 does not adequately implement the requirements of the Directive in this regard. The only UK jurisdiction yet to grapple with this issue is Scotland. Neither the Northern Irish nor the English and Welsh court decisions are from appellate level courts. For the time being we have two first instance courts in two jurisdictions reaching the same conclusion; that will undoubtedly be considered somewhat persuasive by other first instance judges.
The balancing exercise
The court in Google Spain required a balancing exercise to take place between the rights within the European Convention on Human Rights to a private and family life (Article 8) and freedom of expression (Article 10). Following Google Spain the ‘Article 29 Working Party’ (soon to become the European Data Protection Board) issued guidance on the Google Spain decision. These guidelines provide helpful assistance, but do not prescribe the factors which are to be taken into consideration; it is acceptable to go beyond the factors in the guidance [para 135].
In respect of NT1, Warby J attached some weight to the conduct of the Claimant post-conviction; in particular, NT1 had caused to be published about him on the internet (by a reputation management company known in the judgment by the fictitious name of ‘cleanup’) misleading statements about his character and integrity: NT1 had been convicted of a substantial offence of dishonesty and had received a substantial prison sentence for that. This can be contrasted with NT2 who had not been convicted of an offence of dishonesty, had entered a plea of guilty and had shown remorse.
The contrast is an interesting one because while each case will inevitably turn on its own facts, it shows the kind of issues that the court is likely to take into consideration when balancing the competing Article 8 and 10 rights.
Interaction between the Rehabilitation of Offenders Act and the Data Protection Act 1998
The Rehabilitation of Offenders Act 1974 (“ROA”) differs in Scotland from what is in force in England and Wales; of course, these claims deal with the ROA as it applies in England and Wales. The differences in the substance of the Act do not, however, affect the principles which are in play when looking at the interaction between the ROA and data protection law.
The ROA creates a, somewhat limited, right to rehabilitation and Warby J concluded that this right to rehabilitation is an aspect of privacy law. Warby J concluded that “[t]he rights and interests protected include the right to reputation, and the right to respect for family life and private life, including unhindered social interaction with others.” Furthermore, Warby J concluded that “[u]pholding the right [to rehabilitation] also tends to support a public or societal interest in the rehabilitation of offenders.” Importantly though, the right to rehabilitation is a qualified right. As with most cases involving rights, the rights of the offender to rehabilitation do come into conflict with the rights of others, in particular their rights to information and freedom of expression.
As a starting point, a person who is party to legal proceedings held in public (such as the accused in a criminal trial) does not have a reasonable expectation of privacy. However, there may well come a point in time when they can have such an expectation. The ROA works to prevent the disclosure of certain criminal offences for which a person has been convicted after a specified period of rehabilitation. It does not, Warby J concluded, mean that in 1974 Parliament legislated for a right to privacy or confidentiality from the point at which the offence became “spent”.
The rehabilitated offender’s right to a family and private life in respect of a spent conviction will normally be a weighty factor against further use of disclosure of that information; however, it is not a conclusive factor. The “balancing exercise will involve an assessment of the nature and extent of any actual or prospective harm. If the use or disclosure causes, or is likely to cause, serious or substantial interference with private or family life that will tend to add weight to the case for applying the general rule.” [para 166]
Paragraph 166 of Warby J’s judgment is well-worth reading in full for anyone who is involved in balancing exercises of this nature.
At the end of the day, de-indexing (or de-listing) from internet search results does not cause the information to disappear completely. The effect that it has is to make the information more difficult to find. It will still be possible for a person, with sufficient determination, to discover and access the information. In the modern day world we are used to being able to put search terms into Google (and other search engines) and have millions, if not billions, of results returned to us in a fraction of a second. The search engines have developed algorithms which help to bring the content that is seemingly most relevant to the top of those results with the seemingly least relevant placed at the end of the long list of results. Information is much more readily available than it was in 1974; some might argue that cases such as NT1 and NT2 simply return the position back to something which more closely resembles 1974.
It is quite probable that we will begin to see cases like NT1 and NT2 arise more frequently. The qualified right to erasure within the GDPR has attracted a lot of attention and individuals are certainly more aware of ‘the right to be forgotten’. The GDPR arguably doesn’t take us forward from what was determined in Google Spain, but simply gives it a statutory basis as opposed to one that is derived mostly from case law. The qualified right to erasure within the GDPR is, as noted above, often overstated and this will inevitably, in the event that people seek to enforce it more frequently, lead to disputes between controllers and data subjects.
Alistair Sloan
Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880. You can also contact him by E-mail. You can also follow our dedicated Twitter account covering all Information Law matters: @UKInfoLaw