European Court Ruling Bolsters Right To Be Forgotten

ECJ ruling calls search engines data ‘controllers’ and provides data subjects with a means to prompt search engines to delete links even if the provider has published them lawfully

May 13, 2014

By Jedidiah Bracy, CIPP/US, CIPP/E

In what many are calling an historic decision, the European Union’s highest court has ruled that Google must provide users, in certain instances, with a right to delete links about themselves, including in some cases, public records.

The European Court of Justice (ECJ) said the automatic indexing of information that contains personal data “must be classified as ‘processing of personal data’” and that “the operator of the search engine must be regarded as the ‘controller’ in respect to that processing…” Additionally, “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person,” even “when its publication in itself on those pages is lawful.”

An individual’s fundamental rights, the court also ruled, override “the economic interest of the operator of the search engine but also the interest of the general public” in having that information. The exception would be the role played by the subject in public life and if the general public’s right to access the information is justified.

On leave from her role as European justice commissioner, Viviane Reding said, “Companies can no longer hide behind their servers being based in California or anywhere else in the world” and that “the data belongs to the individual, not the company.”

In comments provided to The Privacy Advisor, German Green Member of Parliament and architect of the proposed data protection regulation Jan Philipp Albrecht said the ruling “is the right decision” and that it “clarifies that European data protection law is applicable as soon as a data controller is operating on the European market.” He also stressed the importance of adopting “a uniform and consistent data protection regulation in order to strengthen the enforcement of such rights in all areas of the law and throughout the EU” and that governments “must finally deliver on this issue at the next Justice and Home Affairs Council in June.”

Companies can no longer hide behind their servers being based in California or anywhere else in the world.

Viviane Reding, European Justice Commissioner

For some, however, the fact that existing legislation provides for the right to be forgotten puts in question the need for a new regulation at all. Richard Cumbley of Linklaters told The New York Times, “Given that the EU has spent two years debating this right as part of the reform of EU privacy legislation, it is ironic that the ECJ has found it already exists in such a striking manner.”

But Wilson Sonsini’s Christopher Kuner said this ruling could actually provide further impetus to pass the proposed General Data Protection Regulation, as it more clearly spells out the Right-to-be-Forgotten concept and is more uniform in its application. Right now there are 28 different countries with 28 different privacy regimes. “If I were a company,” he said, “I’d say bring on the regulation because at least there’s a specific article on this, but today’s ruling is based on multiple articles” from the Directive.

Calling the decision “a real game-changer,” privacy expert Eduardo Ustaran, CIPP/E, told The Privacy Advisor, “As a result, search engines operating in Europe will now have to deploy measures to deal with the obligations and rights attached to the personal information revealed in searches.”

Operationally, this will “put search engines in the extremely onerous position of having to take a view on how to comply with potentially millions of individual requests.” In a 2012 article for The Privacy Advisor, a number of experts detailed some of the technical problems companies may face in implementing such controls.

The case goes back to a 2009 incident involving a Spanish citizen who objected to having a Google search of his name include a 1998 Spanish newspaper article that reported on his financial debts and the forced sale of his property. The plaintiff said he had resolved the financial issue and demanded that the local newspaper delete the links to the story. When it refused, the plaintiff asked Google to do the same. The case made its way to the Spanish data protection authority, which ordered Google to remove the links. Google challenged the DPA’s ruling and the case was finally referred to the ECJ.

The most recent ruling contrasts with a preliminary ruling in June 2013 by the ECJ’s Advocate General Niilo Jääskinen, who decided Google did not need to delete the links because it was not the “controller” of data and that information should only be deleted when the personal information is either incomplete or inaccurate.

In the past, Google has argued that the right to be forgotten amounts to censorship. A Google spokesman told Wired, “This is a disappointing ruling for search engines and online publishers in general. We are very surprised that it differs so dramatically from the advocate general’s opinion and the warning and consequences that he spelled out. We now need to take time to analyse the implications.”

The ECJ ruling has some up in arms about potential freedom of expression and censorship concerns. Ustaran said, “Whilst the court does not go so far as letting people share their online persona without taking freedom of expression into account, it allows some form of tailor-made censorship.”

George Mason University’s Adam Thierer went further, arguing, “Right-to-be-forgotten efforts are well-intentioned and seductive, but ultimately, they will require onerous censorial controls that place serious pressure on free speech, journalistic pursuits and net freedom more generally.”

As legal experts begin parsing out the legal ramifications of the ruling—Patrick van Eecke takes an initial swing in this post for The Privacy Tracker—ultimately, commenters agree, the ripples will be felt for some time.

Technologically speaking, Prof. Joel Reidenberg points out that algorithms are at play here as well.

Kuner said there remain a lot of unanswered questions and that this ruling “opens the door to many unintended consequences.”

Beyond Google, what other companies will this apply to? If your website has a Google search bar in it, does that make you a co-controller? He also said the ripple effect will not only place an administrative burden on search engine companies, but on the courts and data protection authorities as well. Will they have the resources to deal with a flood of complaints?

“In summary,” Ustaran concluded, “this decision could have very serious implications for the way in which we all access information on the Internet.”

Woman’s medical records disclosed to an insurance company

Irish Times, 12^th May 2014

 The Data Protection Commissioner’s office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild (above), which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

The disclosure by a GP of a woman’s medical records to an insurance company and the sending of an email containing a patient file by another GP to an incorrect address were among the case studies highlighted in the 2013 annual report.

Notification was also received by the Data Protection Commissioner’s office from a medical practitioner that their computer system had been compromised by ‘ransomware’ and that they were unable to access their patient files.

They had received a demand for € 5,000 in return for the reinstatement of the data but they had informed gardaí and had not paid the ransom. Five months worth of patient files were lost as the practitioner also discovered the back-up files had been infected with the rogue software.

Case studies highlighted also included a complaint against Carphone Warehouse, after a trainee employee gave out a customer’s home address in an “isolated” area to two individuals who claimed to have found her mobile phone and wanted to return it to her after it was stolen and seeking a reward for finding it.

The report said the disclosure of the woman’s address to strangers resulted in “considerable distress”. Regardless of the fact that the employee concerned was a trainee, this disclosure should not have happened.

Electric Ireland was the subject of a complaint over its ‘Feet on the Street’ marketing campaign after a sales agent called to a former customer’s home and was in possession of their personal details.

The Data Protection Commissioner told Electric Ireland its processing of the information was unlawful.

Mr Hawkes said companies needed to “tread carefully” in the space of win-back marketing campaigns as “without the prior marketing consent of the former customers concerned, there is no legal basis to process marketing lists using such retained personal data”.

It was also “disappointing” that the telecommunications sector remained a cause of complaint given the number of prosecutions taken against that sector in recent years for marketing offences.

Prosecutions were taken during the year against Eircom, Meteor, Telefonica (O2) and Vodafone for such offences.

The office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild, which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

Some 61 per cent of data breaches were the result of postal mailing breaches. The annual report said that while a number of these were the result of mail merge issues at the printing stage, “an unacceptably high” percentage were the result of human error.

Complaints about unsolicited direct marketing text messages, emails, phone calls and fax messages were 22.4 per cent of the total.

Bad customer service was increasingly the driving force behind people making requests under the Data Protection Acts to get access to their personal data, the commissioner’s office said.

The 517 complaints concerning access requests accounted for some 56.8 per cent of the total of 910 complaints opened by the Data Protection Commissioner’s office in 2013. This was the highest number ever received by the office in this category.

Mr Hawkes said this pointed to the extent of the difficulties being experienced by individuals in their efforts to exercise their rights and the barriers that some data controllers place in their way.

“Data protection has to be a corporate concern, a boardroom concern, with the clear direction coming from the top of every organisation whether that’s in the public or private sector.”

Audits were carried out on 40 organisations last year, including LinkedIn Ireland, Siptu, AA Ireland, the Health and Safety Authority, Irish Life, An Post, IBRC, Carlow Institute of Technology, Advanced Laser Light and several credit unions.

Public service told to better protect personal data

Commissioner Billy Hawkes cites example of man whose data was accessed by ex-wife working in Department of Social Protection

 Irish Times , Monday 12^th May 2014

 Action is needed to tackle deficiencies in how the public service protects the personal data of citizens before such action is triggered by a “crisis”, the Data Protection Commissioner has said.

Billy Hawkes was speaking today on the publication of his annual report for 2013, which is his final annual report in the office. He retires in August.

 Mr Hawkes highlighted a number of issues of concern and said his audits of State organisations had “in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State”.

Laudable objectives such as fraud prevention and greater efficiency must meet a test of proportionality in the manner in which data is used.”

 In one case study published in the report, his office received a complaint from a man concerned about inappropriate access to his details by an employee of the Department of Social Protection– namely his ex wife.

 There were 12 instances of unauthorised access to his records between February 2004 and July 2009. An investigation was carried out by the department and the matter was referred to the HR division for possible action under the Civil Service Disciplinary Code.

Mr Hawkes said once again this case highlighted “the unacceptable practice by some individuals of snooping through official records for personal reasons unconnected with their official duties”. Taking no action against individuals caught in engaging in such activity was “not acceptable” and it should be clear to all users there there were “serious negative consequences” for unauthorised access to personal information for unofficial purposes.

“Varying degrees of personal information relating to every citizen in the State is held on databases within Government Departments and officials who have access to this information to conduct their official duties are entrusted to access and use that information in accordance with the requirements of their functions,” he said.

“Straying beyond the boundaries of their official duties in terms of accessing personal records amounts to unlawful activity by the individuals concerned. For that reason, it is critical that data controllers, such as a Government Department in this case, have robust disciplinary policies in place to deal with any breaches.”

Mr Hawkes told The Irish Times he believed “the State system in general is not paying sufficient attention to its responsibilities for the quantum of data it holds on all of us”.

“I suppose if I had a parting wish as Data Protection Commissioner it is that there would be system-wide action taken on data protection – that would be the responsibility of the Department of Public Expenditure and Reform - rather than have it triggered by a crisis, which I think is inevitable unless action is taken.”

In relation to the audit of the An Garda Síochana Pulse system, which was published earlier in the year, Mr Hawkes recommended in his report that the force should have a dedicated data protection unit.

He said he expected the force to now “actively enforce” the terms of a directive from headquarters and to take “strong and appropriate disciplinary action against any persons abusing their access to Pulse and prosecutions against any person found to be using such access for gain”.

He also expressed concern about the use for criminal purposes of the fingerprints of individuals who were required to provide such prints in connection with applications for asylum, visas and residence.

In his report, Mr Hawkes said the debate resulting from the revelations last year by the former NSA contractor Edward Snowden of the extent of access by US and European intelligence agencies to personal data had “thrown a welcome spotlight on the general issue of state access to personal data”.

A recent decision by the Court of Justice of the European Union to invalidate the EU Data Retention Directive relating to phone and internet data had “clearly set out the need for proportionality in this area”.

“The CJEU judgment also shows the importance of challenging such privacy-destroying measures, as was done in this case by Digital Rights Ireland, supported by the Irish Human Rights Commission. ”

Timeline of Garda Taping Scandal

Irish Independent 27^th March 2014

June 2013: Garda Ombudsman report on arrest and beating of Anthony Holness in Waterford refers to recording of phone conversations in garda station. The report goes unnoticed.

October: Garda management becomes aware of the extent of the phone recordings due to another case.

November 11: Garda Commissioner consults with Attorney General's (AG) office on recording of phone calls.

November 25: Ian Bailey, the self-confessed suspect in the Sophie Toscan du Plantier murder, and his partner Jules Thomas, are separately suing the State for wrongful arrest in the investigation.

Their legal teams are told "unexpected electronic material" has been found in a trawl of garda case files. The High Court gives the gardai until this week to unscramble the data – believed to be recorded phone calls.

November 27: Garda Commissioner orders a halt to routine recording of non-999 calls at Garda stations.

February 28, 2014: Department of Justice informed by Chief State Solicitor's Office and gardai about the recording of phone calls.

March 10: Garda Commissioner writes to the Department of Justice revealing gardai were involved in widespread recording of phone calls in and out of stations.

March 11: Commissioner Callinan meets with officials in the Department of Justice and the AG's office on the issue of the taped phone calls related to a civil case.

March 15: Mr Shatter flies to Mexico for St Patrick's Day visits.

March 19 and 20: Garda HQ sends copies of letters between it and the AG's office and the Data Protection Commissioner on the controversial taping of phone calls to the Department of Justice.

March 21: Mr Shatter returns from Mexico.

March 23: Taoiseach Enda Kenny meets AG Maire Whelan, who briefs him on taping scandal.

March 24: Mr Shatter learns of the issue and meets Taoiseach and AG.

On Taoiseach's instructions, Dept of Justice Secretary General Brian Purcell meets Commissioner Callinan to inform him of Government's views.

March 25: Cabinet meeting due to be dominated by Transport Minister Leo Varadkar's demand for Commissioner Callinan to withdraw comments about whistleblowers.

Mr Callinan informs Department of Justice of his retirement at 9am. Cabinet meets at 10.30pm and Mr Shatter receives the letter sent to him on March 10 at 12.40pm.

Government decides to launch Commission of Investigation into garda taping

Recording phone calls could have implications for data protection

Irish Times, Wednesday 26^th March 2014  

Taping and recording of phone calls in Garda stations could have serious implications for data protection and for the legal privilege of discussions between people detained at Garda stations and their solicitors, legal experts have said.

It could also potentially result in the overturning of some convictions in specific circumstances.

Under Irish law, it is not illegal for a person to record a phone call if they are a party to that call, but it is an offence if a third party records a call without authorisation under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993.

Legislation also requires that when personal data of individuals is collected a record must be kept of it, and it must be registered under data protection legislation.

The Data Protection Acts state that a person’s information should only be collected for specific purposes and callers should be informed they are being recorded.

One leading barrister working in criminal law who did not want to be named said there could be serious implications if calls between people detained at Garda stations and their lawyers were recorded.

Privilege
Such discussions attract absolute legal privilege and could never be used as evidence in a court of law, he said, but there was a risk that information collected could be used against a person detained.

“It is impossible to come up with any conceivable justification for the gardaí or an adverse party to record that secretly,” he said.

He said it could be a leap to assume that because calls were recorded, they were listened to, but if they were it could come close to “perverting the course of justice”.

If information gleaned from recording a phone call was used in evidence it could lead to the exclusion of some evidence at trial or to an argument of abuse of process.

The recording of calls could also have implications for cases involving disclosure.

Gardaí and the Director of Public Prosecutions have an obligation to provide disclosure of any material that is of any relevance and the courts have interpreted this broadly, he said.

So if a person called a Garda station to speak to a garda about a case, that communication if recorded would be subject to the normal disclosure.

He said yesterday’s revelations could lead to a flood of applications for disclosure of any calls being made.

“There must be cases out there now where that is a live issue; there is a flurry to prove the fact of the phone call, and then evidence of its content from people’s recollections,” he said.

In past cases, disclosure has been sought to see if there is a record of a telephone call to a Garda station and gardaí have produced records from a phone company.

‘Remarkable’
“It is remarkable now that they were producing the phone records if at the same time they also knew they had recordings,” the barrister said.

He also said he thought it was possible that if a person could show they had been convicted in specific circumstances where there was a live issue in respect of the content of a telephone call, a conviction could be overturned.

A second barrister working in the area of criminal law said the implications for data protection were very important. Gardaí appeared to be retaining personal data on individuals and legislation required that a proper record of such data be kept and that it is registered with the data protection commissioner.

“Presumably they haven’t done that,” he said.

If they had done it and a scheme had been put in place and authorised that would raise other issues.

He said any recording of calls to solicitors was very serious as they could be used as “intelligence gathering” exercises.

Separately, the Irish Council for Civil Liberties has said the Government should allow its new statutory Commission of Investigation examine “the full spectrum of Garda accountability issues” that have arisen in recent weeks.

Three companies fined over calls and emails to customers

Irish Times Tue, Feb 4, 2014

Three companies have been given court convictions for making unsolicited marketing phone calls and sending spam emails. Energy company Airtricity Ltd, clothing chain Next and Pure Telecom are the latest firms to be successfully prosecuted at Dublin District Court by the office of the Data Protection Commissioner. The case was taken after the watchdog received complaints from members of the public about being contacted for marketing purposes.

Judge William Hamill noted yesterday the companies had pleaded guilty at an early stage to charges under the Data Protection Act, and had contributed to the costs of bringing the case. But he refused to spare them recorded convictions. Pure Telecom was fined €500, Airtricity has to pay a €75 fine and Next was fined €100. Assistant Data Protection Commissioner Tony Delaney told Judge Hamill that one woman had used Next’s unsubscribe facility to stop getting spam from the clothing chain. However, that did not work and on February 25th and February 28th last year she received more marketing emails from the company. “One of them was a gift idea for mother’s day,” Mr Delaney said adding that they were, “typical marketing emails but clearly when she had opted out she should not have been getting them”.

Complaint

Judge Hamill noted the company had no prior convictions and that Next had used a third-party company to handle the unsubscribe process but has since stopped dealing with them.

In relation to Pure Telecom, Mr Delaney said his office received a complaint from a man with an ex-directory phone number who had received two promotional cold calls last March.

Judge Hamill was told Pure Telecom had been fined €1,250 in 2010 for a breach of data protection regulations. The company’s director Paul Connell said the calls came from a third-party agent which has since been dismissed, and he apologised to the complainant.

The court also heard a man with an ex-directory phone number had received a call on May 10th last offering a promotion on behalf of Airtricity which had then been using a third-party sales company to handle a promotion.

Judge Hamill heard this company had been using an old computer with an out-of-date call list from 2009.

The court heard Airtricity had no prior convictions but had been given a formal warning in 2010 in relation to other complaints.

77 per cent of company data breaches are caused by employees

The Journal.ie
21st January 2014

The survey found that almost a quarter of Irish companies have experienced multiple data breaches over the past twelve months.

MORE THAN HALF of Irish companies have experienced a data breach in the last twelve months, the majority of which are caused by staff members.

A new report from the Irish Computer Society (ICS), which surveyed IT administrators working in 256 Irish-based companies, found that 51 per cent of companies experienced a data breach in the past twelve months, while 22 per cent experienced multiple breaches.

The majority said that staff members were the main cause of data breaches with 77 per cent of incidents caused by “negligent employees.”

Other threats that concerned IT managers were unsecure end user devices, such as unencrypted laptops containing sensitive data, and external attackers trying to obtain data.

When asked about the correct adoption of data protection procedures, more than one in three said that policies are not implemented or are just partially implemented. Only 39 per cent said that its data protection policies were fully implemented.

The report also found that most employees were satisfied with the level of training they received in data protection with 57 per cent saying they received the right amount. 24 per cent of those surveyed said they received no training in this area, while 16 per cent said they received insufficient training.

The Chairman of the Association of Data Protection Officers, Fintan Swanton, believed it highlighted the need for organisations to take steps in managing their company’s data.

Employees might appreciate the importance of data security, but organisations need to instil a culture of compliant data management… It is as much a case of protecting the organisation’s commercial reputation, as it is of protecting the individual’s privacy.

The survey comes after new data protection legislation come into effect. The new legislation will require most organisations to have a Data Protection Officer.