Tuesday, May 13, 2014
Cross-posted from Bill of Health
A resident of Spain allegedly owed back taxes triggering attachment proceedings. The local newspaper published the details of an upcoming auction of his property in early 1998. At some point the issue was settled. However, the matter was not forgotten—the newspaper was online and a Google search of the gentleman’s name returned this history. He complained to the Spanish data protection agency (AEPD) that he had a right to have older, irrelevant information erased and that Google should remove the links. The AEPD agreed and Google sued for relief. The Spanish High Court referred the interpretation of the Data Directive (95/46) to the European Court of Justice in 2010 and in 2013 the Advocate-General issued an advisory opinion supportive of Google’s position. Somewhat surprisingly the European Court of Justice has now taken the opposite view (Case C‑131/12, Google Spain SL v. AEPD, May 13, 2014).
Several aspects of the judgment are noteworthy (such as the holding that a search engine is a data processor). However, the primary importance of the decision by Europe’s top court is that Article 12(b) of Directive 95/46 provides a right to data erasure or, as it is sometimes referred to, a right to be forgotten. In the words of the court:
[Unlawful data processing] may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.
The practical implications not only for search engines but also for data brokers are considerable. Much of the profiling information stored in big data warehouses was originally collected for narrower purposes or for purposes or transactions that have now run their course.
In the context of health data protection in the U.S. I have argued that In order to sustain our traditionally strong protection for health information, big data needs to be reined in and prevented from creating data “proxies” for health information that exist outside of HIPAA-protected space. I have advocated two improved protections; first, enhanced protections should limit the data than brokers may collect, and second, data subjects should be provided a quasi-property right of erasure that “follows” that data. U.S. privacy advocates now have a major privacy “beacon” to invoke.
In Europe the court’s decision also may have major political ramifications. The draft data protection regulation that explicitly recognizes the right of erasure (as well as introducing other privacy rights) has been making robust progress through Europe’s political institutions, recently receiving the strong endorsement of the European Parliament. About the only serious hurdle in its path may be shifts in power resulting from the imminent European elections. Now, that the fourth branch of the EU government has interpreted existing law as already including that right, the new law may prove unstoppable.