The Right to be Forgotten:

Europe's possible impact on Asia

Gordon Hughes
6 October 2014

AUSTRALIA BELGIUM CHINA FRANCE GERMANY HONG KONG SAR INDONESIA (ASSOCIATED OFFICE)
ITALY JAPAN PAPUA NEW GUINEA SAUDI ARABIA SINGAPORE SPAIN SWEDEN
UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES OF AMERICA
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status

Asia • Hong Kong

• India
• The Philippines
• Singapore

Policy considerations Balancing interests

• Freedom of expression v privacy
• Re-writing history v privacy
• Real-name policies v right of pseudonymity
• Anonymity v accountability

Next steps Where to from here?

2
The "right to be forgotten"

• A right of erasure of personal data from digital or

online systems
• Underlying rationale: to allow people greater
control over their personal information in today's
age of increased connectivity
• Policy challenge: Is this an over-correction which
challenges other fundamental values such as the
importance of accountability, the right to free
expression and the accurate recording of history?

3
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status

Asia • Hong Kong

• India
• The Philippines
• Singapore

Policy considerations Balancing interests

• Freedom of expression v privacy
• Re-writing history v privacy
• Real-name policies v right of pseudonymity
• Anonymity v accountability

Next steps Where to from here?

4
European approach
• 1995 Data Protection Directive
Source: http://ec.europa.eu/

– Regulates the processing of personal data within the European Union

• Article 12: right of access

– Allows a person to ask for personal data to be deleted once that

data is no longer necessary

5
Article 12: right of access

Source: http://ec.europa.eu/

• Article 12 states:
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as
to the purposes of the processing, the categories of data concerned, and the recipients or categories of
recipients to whom the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any available
information as to their source,
- knowledge of the logic involved in any automatic processing of data concerning him at least in the case
of the automated decisions referred to in Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply
with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the
data;
(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking
carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

• Does this provide a right to insist upon deletion of data which at the
discretion of the individual, and does this equate to a "right to be
forgotten"? Not explicit.

6
Google v Gonzalez

• Google Spain, Google Inc v AEPD and Mario Gonzalez C-131/12 (2014)

• A Google search of Mr Gonzalez's name revealed links to two La Vanguardia

articles from 1998, which mentioned Mr Gonzalez's name in relation to an
auction for a repossessed home to recover social security debts

• In 2010, Mr Gonzalez lodged a complaint against with AEPD La Vanguardia,

Google Inc and Google Spain, claiming that these references to his personal
information were now irrelevant

• Mr Gonzalez argued that:

– La Vanguardia be required to remove or alter the pages in question, so that his

personal information no longer appeared; and
– Google Spain or Google Inc be required to remove or conceal his personal
information so that it ceased to be included in the search results and no longer
appeared in the links to La Vanguardia

7
Google v Gonzalez

Source: http://www.theguardian.com/world/blog/2014/may/14/mario-costeja-
gonzalez-fight-right-forgotten

8
Google v Gonzalez

• AEPD rejected complaint against newspaper but upheld

complaint against both Google entities

• AEPD ordered the withdrawal of data from the Google index and
required Google to ensure that links were not viewable via the
search engine

• Google entities appealed to National High Court which in turn

referred the case to the Court of Justice of the European Union

9
Google v Gonzalez (cont'd)

• Primary questions for EU Court of Justice:

– Does Data Protection Directive apply to search engines such as

Google?

– Does the Directive apply to Google Spain if the company's data

processing server is in the USA?

– Does an individual have a right to request that data be removed

from accessibility via a search engine (the "right to be forgotten")?

10
Google v Gonzalez (cont'd)

• EU Court of Justice delivered its findings on 13 May 2014

• Search engines held to be "data controllers" whose activities play

a decisive role in the overall dissemination of information

• The activities of the operator of the search engine (Google Inc)

and those of its "establishment" in Spain (Google Spain) held to
be inextricably linked: the advertising activity provided by
Google Spain "constitute[s] the means of rendering the search
engine…economically profitable"

11
Google v Gonzalez (cont'd)

EU Court of Justice held, in relation to the existing Data Protection

Directive:

"…even initially lawful processing of accurate data may, in the course of time,
become incompatible with the directive where those data are no longer
necessary in the light of the purposes for which they were collected or
processed. That is so in particular where they appear to be inadequate,
irrelevant or no longer relevant, or excessive…

Therefore, if it is found…that the inclusion in the list of results displayed

following a search made on the basis of [the data subject's] name…is, at this
point in time, incompatible with… [the Directive] because that information
appears to be inadequate, irrelevant or no longer relevant, or
excessive…the information and links concerned in the list of results must be
erased."

12
Google v Gonzalez (cont'd)

• Key messages from EU Court of Justice judgment:

– Under certain circumstances, individuals have the right to ask search

engines to remove links containing personal information about them

– This "right to be forgotten" is not absolute, but must be assessed on

a case-by-case basis. Consider:

• The type of information concerned;

• The sensitivity of the information; and
• The role played by the data subject in public life (and the corresponding
interest of the general public in having access to the relevant
information)

13
New European Commission proposal
• European Commission has released a draft "General Data
Protection Regulation" to replace the 1995 Data Protection
Directive
• The draft Regulation:
– aims to harmonise existing data protection laws across EU member
states (1995 Directive has been implemented in a fragmented
manner)
– will apply to non-EU based organisations, if they process the
personal data of EU residents
– contains a "right to erasure" in Article 17, which gives data subjects
the right to have personal data erased by a data controller under
certain circumstances
– introduces substantial penalties

Source: http://ec.europa.eu/
14
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status

Asia • Hong Kong

• India
• The Philippines
• Singapore

Policy considerations Balancing interests

• Freedom of expression v privacy
• Re-writing history v privacy
• Real-name policies v right of pseudonymity
• Anonymity v accountability

Next steps Where to from here?

15
ALRC proposal – a "right to be deleted"
• In its Discussion Paper on Serious Invasions of Privacy in the Digital
Era (March 2014), ALRC proposed the introduction of a new APP
which would require an APP entity to:

a) provide a simple mechanism for an individual to request destruction or

de-identification of personal information that was provided to the entity
by the individual; and
b) take reasonable steps in a reasonable time, to comply with such a
request (subject to suitable exceptions), or provide the individual with
reasons for its non-compliance.

• This new Australian Privacy Principle was intended to:

– complement the 13 existing APPs; and

– reduce the risk of harm caused by a serious invasion of privacy in the
digital era.

16
ALRC proposal – a "right to be deleted"
• Possible extension of the ALRC's proposed new Australian Privacy
Principle to:

a) require the APP entity who receives the request to provide the
requesting individual with a list of third parties who have received
the information; and
b) require the APP entity who receives the request to notify any third
parties (with which it has shared the information) of the request.

17
ALRC proposal – a "right to be deleted"
• Possible take-down regime empowering regulators to order an
organisation to remove private information about an individual,
whether provided by that individual or a third party, from a
website or online service controlled by that organisation where:
a) the individual makes a request to the regulator to exercise its
power;
b) the individual has made a request to the organisation and the
request has been rejected or has not been responded to within a
reasonable time; and
c) the regulator considers that the posting of the information
constitutes a serious invasion of privacy, having regard to freedom
of expression and other public interests.
• ALRC acknowledged impact on freedom of expression, and hence
only flagged as a possibility.

18
ALRC's perceived gaps in Australian law…
• Limitations of existing APPs

– APP 11 (requiring an APP entity to destroy / de-identify personal

information no longer required) and APP 13 (requiring an APP entity
to correct personal information on request by an individual) do not
go far enough
– APP 11 is designed to keep data bases accurate, and APP 13 focuses
on inaccurate information

• No tort of privacy (but has been proposed by ALRC)

• Limitations on ACMA's existing powers – ACMA lacks the power

to determine that compensation be paid to an individual whose
privacy is invaded by a broadcaster

19
Update on ALRC's position
• Final report dated June 2014 was tabled in Parliament on
3 September 2014

• Retreats from recommending a new APP

• Considers that the issue becomes part of the "ongoing consent"

consideration under a statutory privacy tort

• New APP had been opposed by OAIC because of the potential to

disrupt business practices

• ALRC remains concerned about shortcomings of existing APPs

20
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status

Asia • Hong Kong

• India
• The Philippines
• Singapore

Policy considerations Balancing interests

• Freedom of expression v privacy
• Re-writing history v privacy
• Real-name policies v right of pseudonymity
• Anonymity v accountability

Next steps Where to from here?

21
Hong Kong
• Personal Data (Privacy) Ordinance

• Section 26 (Erasure of personal data no longer required);

• Section 26(1):
• "A data user shall erase personal data held by the data user where the
data are no longer required for the purpose … for which the data were
used unless:
a) any such erasure is prohibited under any law; or
b) it is in the public interest (including historical interest) for the data not to be
erased."
• Privacy Commissioner Allan Chiang Yam-Yang has called for Google
to entertain removal requests from Hong Kong and other parts of
the world, acknowledging that Google may be beyond Hong Kong's
jurisdiction.

22
India
• Information Technology Act 2000, Information Technology Rules
2011
• Rule 5 (Collection of information):
• "(7) The provider of information [to a body corporate] shall, at any time
while availing the services or otherwise, also have an option to withdraw
its consent given earlier to the body corporate."

• On 31 May 2014, Medianama.com became the first Indian website

to be asked by an individual to remove a link.

• Website owner declined a request ultimately withdrawn.

23
The Philippines
• Data Privacy Act 2012
• Section 16 (Rights of the data subject) include to:
• "(d) dispute the inaccuracy or error in the personal information and have
the personal information controller correct it immediately and
accordingly, unless the request is vexatious or otherwise unreasonable …
third parties who have previously received such process personal
information shall be informed of its inaccuracy and its rectification upon
reasonable request of the data subject."

• No general call for a "right to be forgotten".

24
Singapore
• Personal Data Protection Act 2012
• Section 16 (Withdrawal of consent):
• "(1) On giving reasonable notice to the organisation, an individual may at
any time withdraw any consent given, or deemed to have been given
under this Act, in respect of the collection, use or disclosure by those
organisations of personal information about the individual for any
purpose…
• (4) if an individual withdraws consent to the collection, use or disclosure
of personal data…, the organisation shall cease … collecting, using or
disclosing the personal data …"
• Section 22 (Correction of personal data):
• "(1) an individual may request an organisation to correct an error or
omission in the personal data about the individual that is in the
possession or under the control of the organisation.
• Singapore has joined with Hong Kong in requesting Google to
develop a similar "right to be forgotten" system for its citizens.

25
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status

Asia • Hong Kong

• India
• The Philippines
• Singapore

Policy considerations Balancing interests

• Freedom of expression v privacy
• Re-writing history v privacy
• Real-name policies v right of pseudonymity
• Anonymity v accountability

Next steps Where to from here?

26
 Balancing interests…
Real-name Freedom of
policies v right of expression v
pseudonymity privacy

Source:
http://mashable.com/2014/05/13/right-to-be-
forgotten-europe-google/

Re-writing Anonymity v
history v privacy accountability

27
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status

Asia • Hong Kong

• India
• The Philippines
• Singapore

Policy considerations Balancing interests

• Freedom of expression v privacy
• Re-writing history v privacy
• Real-name policies v right of pseudonymity
• Anonymity v accountability

Next steps Where to from here?

28
Where to from here?

Source: http://www.techhive.com/article/2359982/what-
the-eus-new-right-to-be-forgotten-online-means.html

Source: http://commonseoquestions.com/2014/07/25/the-
right-to-be-forgotten/

29
This presentation material is intended to provide a summary of the subject
matter covered for training purposes only. It does not purport to be
comprehensive or to render legal advice. No reader should act on the basis of
any matter contained in this presentation without first obtaining specific
professional advice.

AUSTRALIA BELGIUM CHINA FRANCE GERMANY HONG KONG SAR INDONESIA (ASSOCIATED OFFICE)
ITALY JAPAN PAPUA NEW GUINEA SAUDI ARABIA SINGAPORE SPAIN SWEDEN
UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES OF AMERICA
231673762_1