CONTENTS Introduction 1 I. Background 3 A. Google Spain v. AEPD 4 B. EU Data Protection Directive 6 C. GDPR and the Right to Erasure 7 D. EU Privacy and Freedom of Expression Laws 7 E. Scholars' Recommendations for Resolving Privacy and the Freedom of Expression 10 F. Reconciling Historical Definitions of Privacy with the Law of Privacy 11 II. Analysis 15 A. Unresolved Ambiguities in Article 17 16 B. Right to Erasure vs. Freedom of Expression 17 C. Analyzing the Treatment of Data Privacy Cases by EU Courts 18 D. The Elements of Erasure 22 E. Applying the Elements of Erasure to Google Spain v. AEPD 27 Conclusion 27 Appendix A 29 INTRODUCTION
Should individuals have the right to ask Google or a local newspaper to erase pictures, descriptions, or audio of themselves in certain circumstances? Should individuals feel differently about unflattering pictures taken after winning their elementary school's spelling bee or pictures of them partying on spring break? What rights do individuals have regarding pornographic videos of themselves posted online? Should their rights differ if the pornographic material is revenge porn? Should individuals be able to erase their mugshots after they got arrested for public intoxication in college? What if the information posted online relates to the number of steps an individual took one day and posted online through a health tracker, and then subsequently found the information displayed on an unrelated blog post? Should the individual have a right to remove the information from being displayed to the public?
Assume that an individual witnessed a crime in public and their picture was plastered all over the news. Should that individual have legal protections to prevent the images from being displayed although the individual is only in the pictures' background and saw the photographers? Would individuals generally feel differently about pictures of their toddlers being published globally? What if an individual's famous long-term ex is detailing everything humiliating the individual has done in an autobiography, does it matter if a pseudonym is used for the person's name? What about publishing a private conversation an individual had in public?
Privacy laws are rapidly emerging and developing, yet remain a relatively unstructured area of law with vast global disparities in both legislation and common law. (2) The European Union General Data Protection Regulation (GDPR), coming into force in mid-2018, will radically change the data privacy climate. Article 17 of the GDPR, the right to erasure (RTE), which is synonymous with the right to be forgotten (RTBF) for this Note's purposes, allows the erasure of personal data under specific circumstances. (3) Article 17 is often considered vague or unclear in certain aspects, particularly when it conflicts with the right to freedom of expression. This Note aims to clarify, based on international law, common law, and notions of privacy, when privacy should prevail over the right to free expression, justifying an individual's right to erasure.
This Note generates a balancing test that will be termed "elements of erasure (EOE)." This test proposes factors courts and practitioners can use to evaluate and allow or deny an Article 17 RTE request when individuals request the erasure of published "private information" and the cases do not explicitly fall under the clear circumstances that warrant or prevent erasure in sub-articles (1)(a)-(e) (4) or when the cases may conflict with sub-article(3)(a) (5) . These factors list the relevant elements of privacy in the context of publishing personal information and freedom of expression, and aim to clarify which information is considered private under the right to erasure, thus permitting its erasure under the GDPR's RTE in accordance with the European Charter of Human Rights and the Charter of Fundamental Rights of the European Union. The EOE conceptualize elements of privacy by analyzing English common law, cases decided by courts including the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR), and various scholars' arguments and theories. (6)
Part II of this Note discusses background information including an influential case, the Data Protection Directive, the GDPR and Article 17, EU laws pertaining to the right to freedom of expression and the right to privacy. Part II also discusses the meaning of privacy and provides the necessary background to build a foundation for the "elements of erasure." Part III discusses unresolved ambiguities within the GDPR, examines tensions between the right to freedom of expression and the right to privacy, analyzes data privacy court decisions, and presents the balancing test coined, "elements of erasure," to assess RTE requests comprehensively and ensure individual privacy protections and control of personal data and information without stifling the freedom of expression and information.
A few important notes regarding the topic and scope of this Note: 1) This Note rests on the assumption that the RTE should be based on the right to privacy in EU law as implied in Article 17(1)(d)-(e); 2) when discussing erasure, this Note refers to the simple erasure of data: the technical delisting, delinking, or removal of data being displayed; 3) the EOE aim to provide a solution for individual cases with Article 17 requests that do not neatly fall under Article 17(1)(a)-(c),(f) and 17(3)(b)-(e) which state clear circumstances that warrant erasure such as withdrawal of consent or clear circumstances that prohibit erasure such as established public interest purposes or legal obligations; and 4) the EOE do not discuss nor consider cases with Article 17 requests as a result of the publication of mass data and private information or data breaches.
In a landmark case against Google Spain, a man successfully sued Google to remove an unfavorable link concerning himself, an outcome that changed the way we perceive the role of search engines in our society. This case has implications on privacy and the freedom of information in general, and in particular, stirs the debate on whether, and if so when, individuals can request the removal of personal information from the public realm. This section delves into the details of Google Spain v. AEPD to better understand the implications of the decision on the RTE, the laws the case was based on; the EU Data Protection Directive, the GDPR and Article 17, followed by an explanation of EU privacy and freedom of expression laws. Different understandings and conceptualizations of privacy culminate this section.
Google Spain v. AEPD
In 2014, a Spanish citizen prevailed in his complaint against a Spanish daily newspaper, Google Inc., and Google Spain after a portion of his complaint sought to remove or alter pages that depicted a forced real-estate auction as a result of attachment proceedings from social security debts. (7) He argued that the pages were irrelevant given that the proceedings were resolved. (8) The CJEU outlined features that were used to assess the data's compatibility with the directive (9) and considered the interference of this information with elements of his private life, (10) "the legitimate interest of internet users potentially interested in having access to that information," "the nature of the information in question and its sensitivity for the data subject's private life," "the role played by the data subject in private life," whether the data is relevant or not, and whether the data was "excessive in relation to the purposes for which they were processed." (11) Ultimately, the court ruled that the RTBF may apply even when data has been lawfully processed if the data is "inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed." (12) The court also explained that the RTBF is not an absolute right and must be weighed against other legitimate interests and rights. (13)
Although the court ruled that Google, as an internet search engine, should comply with requests to remove private information that meets the standards the court outlined, the court did not order the newspaper to remove the information too. (14) This element has perplexed scholars, and has not been explained by the court other than stating that it was published lawfully. (15) The court also stated that the search engine's activities include collecting, retrieving, recording, organizing, storing, and disclosing data, which makes the search engine a data controller. (16) As a data controller, Google is subject to the Data Protection Directive (the Directive) (the current EU data protection law that precedes the GDPR), meaning that the court effectively ruled that the search engine operator must comply with the Directive and remove the personal information from the search results as requested by the data subject. (17) This was a highly controversial decision which lead to widespread debates over the right to be forgotten and its effect on the freedom of expression. (18)
While this decision was heavily applauded, it was also widely criticized and viewed as a restriction to the freedom of speech and expression. One way to phrase the CJEU ruling is by saying it has "interpreted the Directive as creating a presumption that Google must delete links to personal information from search results at the request of a data subject unless a strong public interest suggests otherwise." (19) Critics argue that this interpretation places too much power and control of public information in the hands of private entities, arguing that the court interpreted the Directive incorrectly when they broadened the interpretation of a data controller and found Google to be a controller, not a processor, based on having a search algorithm, although the search engine does not produce and publish its own content. (20) This case also raises questions...