While the last refrains of “should old acquaintance be forgot” fade away from New Years’ Eve celebrations, 2014 may be remembered as the year of the “right to be forgotten” in light of an EU privacy ruling last May. Below we cover that ruling and other significant events from 2014 — an eventful year in privacy in the EU.
The Right to Be Forgotten
The right to be forgotten ruling dates back to a 2010 complaint by a Spanish citizen against a Spanish newspaper, Google Spain, and Google Inc. The citizen complained that under the EU’s 1995 Data Protection Directive (the Directive), an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been resolved.
The matter was referred to the Court of Justice of the European Union (Court of Justice), and a ruling was issued on May 13, 2014. The decision held that search engines are “data controllers” under the Directive and, as such, must provide data subjects with the right to be forgotten. This allows an individual to request that search engines remove links and URLs derived from a search based on the person’s name. The right is not absolute but is subject to, among other conditions, a case-by-case assessment to consider the type of information in question and the interest of the public in having that information. Since the May 2014 ruling, EU regulators have called for a broader application of the ruling, while search engines have tried to limit its impact. In November 2014, new EU guidelines called for search engines to apply the right to be forgotten globally across all sites. However, Google has pushed back and has implemented such requests only in its European sites, such as Google.fr or Google.co.uk, but not Google.com.
How the right to be forgotten will play out in 2015 and beyond remains to be seen, but it is potentially shaping up as a clash between freedom of expression and individual privacy. Already, Google has received almost 200,000 requests to remove links and has agreed to do so about 42 percent of the time.
In another significant 2014 EU privacy ruling, the Court of Justice ruled in December that owners of home surveillance cameras could be breaching the Directive when those cameras are used to monitor public spaces. The decision arose from a Czech Republic citizen who had set up a camera to monitor the path outside his home in response to a recent burglary. When a suspect was caught on camera and the recording used as evidence in subsequent criminal proceedings, the suspect made a complaint to the Czech Data Protection Office that the surveillance system was unlawful.
The Court of Justice held that the image of an identifiable person captured on camera is “personal data” under the Directive and the recording was considered to be the processing of personal data by automatic means. The recording of a public space was also held to be not conducted in a “purely personal or household setting” under a strict reading of the Directive, which guarantees that individual privacy rights will be strongly protected.
The General Data Protection Regulation
In another major 2014 development, significant progress was made toward unifying EU privacy law when in March 2014 the European Parliament voted in favor of an amended version of the EU General Data Protection Regulation (GDPR) first proposed by the EU Commission in 2012. The GDPR would unify data protection in the EU with a single comprehensive framework applicable to all EU member states. At this point, the Council of the European Union (the 28 EU member states) needs to finalize its version of the draft regulation before negotiations can enter their final stage, but it is now generally believed that a tipping point has been reached and we could see the GDPR finalized in 2015.